diff --git a/.travis.yml b/.travis.yml index 77f50b57b..4300bb28b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,12 +5,12 @@ cache: - $HOME/.composer/cache - vendor php: -- 5.3 - 5.4 - 5.5 - 5.6 - 7.0 - 7.1 +- 7.2 env: global: - secure: Bc5ZqvZ1YYpoPZNNuU2eCB8DS6vBYrAdfBtTenBs5NSxzb+Vjven4kWakbzaMvZjb/Ib7Uph7DGuOtJXpmxnvBXPLd707LZ89oFWN/yqQlZKCcm8iErvJCB5XL+/ONHj2iPdR242HJweMcat6bMCwbVWoNDidjtWMH0U2mYFy3M= @@ -29,3 +29,5 @@ before_script: - psql -c 'create database oauth2_server_php;' -U postgres after_script: - php test/cleanup.php +script: +- vendor/bin/phpunit diff --git a/CHANGELOG.md b/CHANGELOG.md index 4fddd72c9..7671b2396 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,24 @@ To see the files changed for a given bug, go to https://github.com/bshaffer/oaut To get the diff between two versions, go to https://github.com/bshaffer/oauth2-server-php/compare/v1.0...v1.1 To get the diff for a specific change, go to https://github.com/bshaffer/oauth2-server-php/commit/XXX where XXX is the change hash +* 1.10.0 (2017-12-14) + + PR: https://github.com/bshaffer/oauth2-server-php/pull/889 + + * #795 - [feature] added protected createPayload method to allow easier customization of JWT payload + * #807 - [refactor] simplifies UserInfoController constructor + * #814 - [docs] Adds https to README link + * #827 - [testing] Explicitly pulls in phpunit 4 + * #828 - [docs] PHPDoc improvements and type hinting of variables. + * #829 - [bug] Fix CORS issue for revoking and requesting an access token + * #869 - [testing] Remove php 5.3 from travis and use vendored phpunit + * #834 - [feature] use random_bytes if available + * #851 - [docs] Fix PHPDoc + * #872 - [bug] Fix count() error on PHP 7.2 + * #873 - [testing] adds php 7.2 to travis + * #794 - [docs] Fix typo in composer.json + * #885 - [testing] Use PHPUnit\Framework\TestCase instead of PHPUnit_Framework_TestCase + * 1.9.0 (2016-01-06) PR: https://github.com/bshaffer/oauth2-server-php/pull/788 @@ -87,7 +105,7 @@ To get the diff for a specific change, go to https://github.com/bshaffer/oauth2- * bug #346 Fixes open_basedir warning * bug #351 Adds OpenID Connect support * bug #355 Adds php 5.6 and HHVM to travis.ci testing - * [BC] bug #358 Adds `getQuerystringIdentifier()` to the GrantType interface + * [BC] bug #358 Adds `getQueryStringIdentifier()` to the GrantType interface * bug #363 Encryption\JWT - Allows for subclassing JWT Headers * bug #349 Bearer Tokens - adds requestHasToken method for when access tokens are optional * bug #301 Encryption\JWT - fixes urlSafeB64Encode(): ensures newlines are replaced as expected diff --git a/README.md b/README.md index 4ceda6cf9..f1788e9ce 100644 --- a/README.md +++ b/README.md @@ -5,4 +5,4 @@ oauth2-server-php [![Total Downloads](https://poser.pugx.org/bshaffer/oauth2-server-php/downloads.png)](https://packagist.org/packages/bshaffer/oauth2-server-php) -View the [complete documentation](http://bshaffer.github.io/oauth2-server-php-docs/) \ No newline at end of file +View the [complete documentation](https://bshaffer.github.io/oauth2-server-php-docs/) diff --git a/composer.json b/composer.json index 561699f5e..272d20027 100644 --- a/composer.json +++ b/composer.json @@ -19,6 +19,7 @@ "php":">=5.3.9" }, "require-dev": { + "phpunit/phpunit": "^4.0", "aws/aws-sdk-php": "~2.8", "firebase/php-jwt": "~2.2", "predis/predis": "dev-master", @@ -29,6 +30,7 @@ "predis/predis": "Required to use Redis storage", "thobbs/phpcassa": "Required to use Cassandra storage", "aws/aws-sdk-php": "~2.8 is required to use DynamoDB storage", - "firebase/php-jwt": "~1.1 is required to use MondoDB storage" + "firebase/php-jwt": "~2.2 is required to use JWT features", + "mongodb/mongodb": "^1.1 is required to use MongoDB storage" } } diff --git a/src/OAuth2/Autoloader.php b/src/OAuth2/Autoloader.php index ecfb6ba75..4ec08cbdd 100644 --- a/src/OAuth2/Autoloader.php +++ b/src/OAuth2/Autoloader.php @@ -10,8 +10,14 @@ */ class Autoloader { + /** + * @var string + */ private $dir; + /** + * @param string $dir + */ public function __construct($dir = null) { if (is_null($dir)) { @@ -19,6 +25,7 @@ public function __construct($dir = null) } $this->dir = $dir; } + /** * Registers OAuth2\Autoloader as an SPL autoloader. */ @@ -31,9 +38,8 @@ public static function register($dir = null) /** * Handles autoloading of classes. * - * @param string $class A class name. - * - * @return boolean Returns true if the class has been loaded + * @param string $class - A class name. + * @return boolean - Returns true if the class has been loaded */ public function autoload($class) { diff --git a/src/OAuth2/ClientAssertionType/ClientAssertionTypeInterface.php b/src/OAuth2/ClientAssertionType/ClientAssertionTypeInterface.php index 29c7171b5..6a167da90 100644 --- a/src/OAuth2/ClientAssertionType/ClientAssertionTypeInterface.php +++ b/src/OAuth2/ClientAssertionType/ClientAssertionTypeInterface.php @@ -10,6 +10,19 @@ */ interface ClientAssertionTypeInterface { + /** + * Validate the OAuth request + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @return mixed + */ public function validateRequest(RequestInterface $request, ResponseInterface $response); + + /** + * Get the client id + * + * @return mixed + */ public function getClientId(); } diff --git a/src/OAuth2/ClientAssertionType/HttpBasic.php b/src/OAuth2/ClientAssertionType/HttpBasic.php index 0ecb7e18d..ef6120300 100644 --- a/src/OAuth2/ClientAssertionType/HttpBasic.php +++ b/src/OAuth2/ClientAssertionType/HttpBasic.php @@ -5,6 +5,7 @@ use OAuth2\Storage\ClientCredentialsInterface; use OAuth2\RequestInterface; use OAuth2\ResponseInterface; +use LogicException; /** * Validate a client via Http Basic authentication @@ -19,14 +20,16 @@ class HttpBasic implements ClientAssertionTypeInterface protected $config; /** - * @param OAuth2\Storage\ClientCredentialsInterface $clientStorage REQUIRED Storage class for retrieving client credentials information - * @param array $config OPTIONAL Configuration options for the server - * - * $config = array( - * 'allow_credentials_in_request_body' => true, // whether to look for credentials in the POST body in addition to the Authorize HTTP Header - * 'allow_public_clients' => true // if true, "public clients" (clients without a secret) may be authenticated - * ); - * + * Config array $config should look as follows: + * @code + * $config = array( + * 'allow_credentials_in_request_body' => true, // whether to look for credentials in the POST body in addition to the Authorize HTTP Header + * 'allow_public_clients' => true // if true, "public clients" (clients without a secret) may be authenticated + * ); + * @endcode + * + * @param ClientCredentialsInterface $storage Storage + * @param array $config Configuration options for the server */ public function __construct(ClientCredentialsInterface $storage, array $config = array()) { @@ -37,6 +40,14 @@ public function __construct(ClientCredentialsInterface $storage, array $config = ), $config); } + /** + * Validate the OAuth request + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @return bool|mixed + * @throws LogicException + */ public function validateRequest(RequestInterface $request, ResponseInterface $response) { if (!$clientData = $this->getClientCredentials($request, $response)) { @@ -44,7 +55,7 @@ public function validateRequest(RequestInterface $request, ResponseInterface $re } if (!isset($clientData['client_id'])) { - throw new \LogicException('the clientData array must have "client_id" set'); + throw new LogicException('the clientData array must have "client_id" set'); } if (!isset($clientData['client_secret']) || $clientData['client_secret'] == '') { @@ -70,6 +81,11 @@ public function validateRequest(RequestInterface $request, ResponseInterface $re return true; } + /** + * Get the client id + * + * @return mixed + */ public function getClientId() { return $this->clientData['client_id']; @@ -82,13 +98,14 @@ public function getClientId() * According to the spec (draft 20), the client_id can be provided in * the Basic Authorization header (recommended) or via GET/POST. * - * @return - * A list containing the client identifier and password, for example + * @param RequestInterface $request + * @param ResponseInterface $response + * @return array|null A list containing the client identifier and password, for example: * @code - * return array( - * "client_id" => CLIENT_ID, // REQUIRED the client id - * "client_secret" => CLIENT_SECRET, // OPTIONAL the client secret (may be omitted for public clients) - * ); + * return array( + * "client_id" => CLIENT_ID, // REQUIRED the client id + * "client_secret" => CLIENT_SECRET, // OPTIONAL the client secret (may be omitted for public clients) + * ); * @endcode * * @see http://tools.ietf.org/html/rfc6749#section-2.3.1 @@ -108,7 +125,6 @@ public function getClientCredentials(RequestInterface $request, ResponseInterfac * client_secret can be null if the client's password is an empty string * @see http://tools.ietf.org/html/rfc6749#section-2.3.1 */ - return array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret')); } } diff --git a/src/OAuth2/Controller/AuthorizeController.php b/src/OAuth2/Controller/AuthorizeController.php index ea7f54a87..4bafb1d24 100644 --- a/src/OAuth2/Controller/AuthorizeController.php +++ b/src/OAuth2/Controller/AuthorizeController.php @@ -7,37 +7,76 @@ use OAuth2\RequestInterface; use OAuth2\ResponseInterface; use OAuth2\Scope; +use InvalidArgumentException; /** - * @see OAuth2\Controller\AuthorizeControllerInterface + * @see AuthorizeControllerInterface */ class AuthorizeController implements AuthorizeControllerInterface { + /** + * @var string + */ private $scope; + + /** + * @var int + */ private $state; + + /** + * @var mixed + */ private $client_id; + + /** + * @var string + */ private $redirect_uri; + + /** + * The response type + * + * @var string + */ private $response_type; + /** + * @var ClientInterface + */ protected $clientStorage; + + /** + * @var array + */ protected $responseTypes; + + /** + * @var array + */ protected $config; + + /** + * @var ScopeInterface + */ protected $scopeUtil; /** - * @param OAuth2\Storage\ClientInterface $clientStorage REQUIRED Instance of OAuth2\Storage\ClientInterface to retrieve client information - * @param array $responseTypes OPTIONAL Array of OAuth2\ResponseType\ResponseTypeInterface objects. Valid array - * keys are "code" and "token" - * @param array $config OPTIONAL Configuration options for the server - * - * $config = array( - * 'allow_implicit' => false, // if the controller should allow the "implicit" grant type - * 'enforce_state' => true // if the controller should require the "state" parameter - * 'require_exact_redirect_uri' => true, // if the controller should require an exact match on the "redirect_uri" parameter - * 'redirect_status_code' => 302, // HTTP status code to use for redirect responses - * ); - * - * @param OAuth2\ScopeInterface $scopeUtil OPTIONAL Instance of OAuth2\ScopeInterface to validate the requested scope + * Constructor + * + * @param ClientInterface $clientStorage REQUIRED Instance of OAuth2\Storage\ClientInterface to retrieve client information + * @param array $responseTypes OPTIONAL Array of OAuth2\ResponseType\ResponseTypeInterface objects. Valid array + * keys are "code" and "token" + * @param array $config OPTIONAL Configuration options for the server: + * @param ScopeInterface $scopeUtil OPTIONAL Instance of OAuth2\ScopeInterface to validate the requested scope + * @code + * $config = array( + * 'allow_implicit' => false, // if the controller should allow the "implicit" grant type + * 'enforce_state' => true // if the controller should require the "state" parameter + * 'require_exact_redirect_uri' => true, // if the controller should require an exact match on the "redirect_uri" parameter + * 'redirect_status_code' => 302, // HTTP status code to use for redirect responses + * ); + * @endcode */ public function __construct(ClientInterface $clientStorage, array $responseTypes = array(), array $config = array(), ScopeInterface $scopeUtil = null) { @@ -56,10 +95,20 @@ public function __construct(ClientInterface $clientStorage, array $responseTypes $this->scopeUtil = $scopeUtil; } + /** + * Handle the authorization request + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @param boolean $is_authorized + * @param mixed $user_id + * @return mixed|void + * @throws InvalidArgumentException + */ public function handleAuthorizeRequest(RequestInterface $request, ResponseInterface $response, $is_authorized, $user_id = null) { if (!is_bool($is_authorized)) { - throw new \InvalidArgumentException('Argument "is_authorized" must be a boolean. This method must know if the user has granted access to the client.'); + throw new InvalidArgumentException('Argument "is_authorized" must be a boolean. This method must know if the user has granted access to the client.'); } // We repeat this, because we need to re-validate. The request could be POSTed @@ -101,6 +150,14 @@ public function handleAuthorizeRequest(RequestInterface $request, ResponseInterf $response->setRedirect($this->config['redirect_status_code'], $uri); } + /** + * Set not authorized response + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @param string $redirect_uri + * @param mixed $user_id + */ protected function setNotAuthorizedResponse(RequestInterface $request, ResponseInterface $response, $redirect_uri, $user_id = null) { $error = 'access_denied'; @@ -108,9 +165,16 @@ protected function setNotAuthorizedResponse(RequestInterface $request, ResponseI $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $this->state, $error, $error_message); } - /* + /** * We have made this protected so this class can be extended to add/modify * these parameters + * + * @TODO: add dependency injection for the parameters in this method + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @param mixed $user_id + * @return array */ protected function buildAuthorizeParameters($request, $response, $user_id) { @@ -127,6 +191,8 @@ protected function buildAuthorizeParameters($request, $response, $user_id) } /** + * Validate the OAuth request + * * @param RequestInterface $request * @param ResponseInterface $response * @return bool @@ -186,7 +252,7 @@ public function validateAuthorizeRequest(RequestInterface $request, ResponseInte $redirect_uri = $registered_redirect_uri; } - // Select the redirect URI + // Select the response type $response_type = $request->query('response_type', $request->request('response_type')); // for multiple-valued response types - make them alphabetical @@ -281,10 +347,10 @@ public function validateAuthorizeRequest(RequestInterface $request, ResponseInte /** * Build the absolute URI based on supplied URI and parameters. * - * @param $uri An absolute URI. - * @param $params Parameters to be append as GET. + * @param string $uri An absolute URI. + * @param array $params Parameters to be append as GET. * - * @return + * @return string * An absolute URI with supplied parameters. * * @ingroup oauth2_section_4 @@ -302,9 +368,9 @@ private function buildUri($uri, $params) } } - // Put humpty dumpty back together + // Put the uri back together return - ((isset($parse_url["scheme"])) ? $parse_url["scheme"] . "://" : "") + ((isset($parse_url["scheme"])) ? $parse_url["scheme"] . "://" : "") . ((isset($parse_url["user"])) ? $parse_url["user"] . ((isset($parse_url["pass"])) ? ":" . $parse_url["pass"] : "") . "@" : "") . ((isset($parse_url["host"])) ? $parse_url["host"] : "") @@ -326,10 +392,10 @@ protected function getValidResponseTypes() /** * Internal method for validating redirect URI supplied * - * @param string $inputUri The submitted URI to be validated + * @param string $inputUri The submitted URI to be validated * @param string $registeredUriString The allowed URI(s) to validate against. Can be a space-delimited string of URIs to * allow for multiple URIs - * + * @return bool * @see http://tools.ietf.org/html/rfc6749#section-3.1.2 */ protected function validateRedirectUri($inputUri, $registeredUriString) @@ -363,29 +429,50 @@ protected function validateRedirectUri($inputUri, $registeredUriString) } /** - * Convenience methods to access the parameters derived from the validated request + * Convenience method to access the scope + * + * @return string */ - public function getScope() { return $this->scope; } + /** + * Convenience method to access the state + * + * @return int + */ public function getState() { return $this->state; } + /** + * Convenience method to access the client id + * + * @return mixed + */ public function getClientId() { return $this->client_id; } + /** + * Convenience method to access the redirect url + * + * @return string + */ public function getRedirectUri() { return $this->redirect_uri; } + /** + * Convenience method to access the response type + * + * @return string + */ public function getResponseType() { return $this->response_type; diff --git a/src/OAuth2/Controller/AuthorizeControllerInterface.php b/src/OAuth2/Controller/AuthorizeControllerInterface.php index fa07ae8d2..f758f976a 100644 --- a/src/OAuth2/Controller/AuthorizeControllerInterface.php +++ b/src/OAuth2/Controller/AuthorizeControllerInterface.php @@ -11,17 +11,18 @@ * authorization directly, this controller ensures the request is valid, but * requires the application to determine the value of $is_authorized * - * ex: - * > $user_id = $this->somehowDetermineUserId(); - * > $is_authorized = $this->somehowDetermineUserAuthorization(); - * > $response = new OAuth2\Response(); - * > $authorizeController->handleAuthorizeRequest( - * > OAuth2\Request::createFromGlobals(), - * > $response, - * > $is_authorized, - * > $user_id); - * > $response->send(); - * + * @code + * $user_id = $this->somehowDetermineUserId(); + * $is_authorized = $this->somehowDetermineUserAuthorization(); + * $response = new OAuth2\Response(); + * $authorizeController->handleAuthorizeRequest( + * OAuth2\Request::createFromGlobals(), + * $response, + * $is_authorized, + * $user_id + * ); + * $response->send(); + * @endcode */ interface AuthorizeControllerInterface { @@ -37,7 +38,21 @@ interface AuthorizeControllerInterface const RESPONSE_TYPE_AUTHORIZATION_CODE = 'code'; const RESPONSE_TYPE_ACCESS_TOKEN = 'token'; + /** + * Handle the OAuth request + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @param $is_authorized + * @param null $user_id + * @return mixed + */ public function handleAuthorizeRequest(RequestInterface $request, ResponseInterface $response, $is_authorized, $user_id = null); + /** + * @param RequestInterface $request + * @param ResponseInterface $response + * @return bool + */ public function validateAuthorizeRequest(RequestInterface $request, ResponseInterface $response); } diff --git a/src/OAuth2/Controller/ResourceController.php b/src/OAuth2/Controller/ResourceController.php index 3cfaaaf12..926f90fda 100644 --- a/src/OAuth2/Controller/ResourceController.php +++ b/src/OAuth2/Controller/ResourceController.php @@ -10,17 +10,43 @@ use OAuth2\Scope; /** - * @see OAuth2\Controller\ResourceControllerInterface + * @see ResourceControllerInterface */ class ResourceController implements ResourceControllerInterface { + /** + * @var array + */ private $token; + /** + * @var TokenTypeInterface + */ protected $tokenType; + + /** + * @var AccessTokenInterface + */ protected $tokenStorage; + + /** + * @var array + */ protected $config; + + /** + * @var ScopeInterface + */ protected $scopeUtil; + /** + * Constructor + * + * @param TokenTypeInterface $tokenType + * @param AccessTokenInterface $tokenStorage + * @param array $config + * @param ScopeInterface $scopeUtil + */ public function __construct(TokenTypeInterface $tokenType, AccessTokenInterface $tokenStorage, $config = array(), ScopeInterface $scopeUtil = null) { $this->tokenType = $tokenType; @@ -36,6 +62,14 @@ public function __construct(TokenTypeInterface $tokenType, AccessTokenInterface $this->scopeUtil = $scopeUtil; } + /** + * Verify the resource request + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @param null $scope + * @return bool + */ public function verifyResourceRequest(RequestInterface $request, ResponseInterface $response, $scope = null) { $token = $this->getAccessTokenData($request, $response); @@ -71,6 +105,13 @@ public function verifyResourceRequest(RequestInterface $request, ResponseInterfa return (bool) $token; } + /** + * Get access token data. + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @return array|null + */ public function getAccessTokenData(RequestInterface $request, ResponseInterface $response) { // Get the token parameter @@ -103,7 +144,11 @@ public function getAccessTokenData(RequestInterface $request, ResponseInterface return null; } - // convenience method to allow retrieval of the token + /** + * convenience method to allow retrieval of the token. + * + * @return array + */ public function getToken() { return $this->token; diff --git a/src/OAuth2/Controller/ResourceControllerInterface.php b/src/OAuth2/Controller/ResourceControllerInterface.php index 611421935..0e847ca61 100644 --- a/src/OAuth2/Controller/ResourceControllerInterface.php +++ b/src/OAuth2/Controller/ResourceControllerInterface.php @@ -10,17 +10,32 @@ * call verifyResourceRequest in order to determine if the request * contains a valid token. * - * ex: - * > if (!$resourceController->verifyResourceRequest(OAuth2\Request::createFromGlobals(), $response = new OAuth2\Response())) { - * > $response->send(); // authorization failed - * > die(); - * > } - * > return json_encode($resource); // valid token! Send the stuff! - * + * @code + * if (!$resourceController->verifyResourceRequest(OAuth2\Request::createFromGlobals(), $response = new OAuth2\Response())) { + * $response->send(); // authorization failed + * die(); + * } + * return json_encode($resource); // valid token! Send the stuff! + * @endcode */ interface ResourceControllerInterface { + /** + * Verify the resource request + * + * @param RequestInterface $request - Request object + * @param ResponseInterface $response - Response object + * @param string $scope + * @return mixed + */ public function verifyResourceRequest(RequestInterface $request, ResponseInterface $response, $scope = null); + /** + * Get access token data. + * + * @param RequestInterface $request - Request object + * @param ResponseInterface $response - Response object + * @return mixed + */ public function getAccessTokenData(RequestInterface $request, ResponseInterface $response); } diff --git a/src/OAuth2/Controller/TokenController.php b/src/OAuth2/Controller/TokenController.php index 5d2d731fe..7fdaf85a6 100644 --- a/src/OAuth2/Controller/TokenController.php +++ b/src/OAuth2/Controller/TokenController.php @@ -10,9 +10,12 @@ use OAuth2\Storage\ClientInterface; use OAuth2\RequestInterface; use OAuth2\ResponseInterface; +use InvalidArgumentException; +use LogicException; +use RuntimeException; /** - * @see \OAuth2\Controller\TokenControllerInterface + * @see TokenControllerInterface */ class TokenController implements TokenControllerInterface { @@ -22,7 +25,7 @@ class TokenController implements TokenControllerInterface protected $accessToken; /** - * @var array + * @var array */ protected $grantTypes; @@ -32,7 +35,7 @@ class TokenController implements TokenControllerInterface protected $clientAssertionType; /** - * @var Scope|ScopeInterface + * @var ScopeInterface */ protected $scopeUtil; @@ -41,12 +44,22 @@ class TokenController implements TokenControllerInterface */ protected $clientStorage; + /** + * Constructor + * + * @param AccessTokenInterface $accessToken + * @param ClientInterface $clientStorage + * @param array $grantTypes + * @param ClientAssertionTypeInterface $clientAssertionType + * @param ScopeInterface $scopeUtil + * @throws InvalidArgumentException + */ public function __construct(AccessTokenInterface $accessToken, ClientInterface $clientStorage, array $grantTypes = array(), ClientAssertionTypeInterface $clientAssertionType = null, ScopeInterface $scopeUtil = null) { if (is_null($clientAssertionType)) { foreach ($grantTypes as $grantType) { if (!$grantType instanceof ClientAssertionTypeInterface) { - throw new \InvalidArgumentException('You must supply an instance of OAuth2\ClientAssertionType\ClientAssertionTypeInterface or only use grant types which implement OAuth2\ClientAssertionType\ClientAssertionTypeInterface'); + throw new InvalidArgumentException('You must supply an instance of OAuth2\ClientAssertionType\ClientAssertionTypeInterface or only use grant types which implement OAuth2\ClientAssertionType\ClientAssertionTypeInterface'); } } } @@ -63,6 +76,12 @@ public function __construct(AccessTokenInterface $accessToken, ClientInterface $ $this->scopeUtil = $scopeUtil; } + /** + * Handle the token request. + * + * @param RequestInterface $request - Request object to grant access token + * @param ResponseInterface $response - Response object + */ public function handleTokenRequest(RequestInterface $request, ResponseInterface $response) { if ($token = $this->grantAccessToken($request, $response)) { @@ -83,8 +102,10 @@ public function handleTokenRequest(RequestInterface $request, ResponseInterface * This would be called from the "/token" endpoint as defined in the spec. * You can call your endpoint whatever you want. * - * @param RequestInterface $request Request object to grant access token - * @param ResponseInterface $response + * @param RequestInterface $request - Request object to grant access token + * @param ResponseInterface $response - Response object + * + * @return bool|null|array * * @throws \InvalidArgumentException * @throws \LogicException @@ -97,9 +118,15 @@ public function handleTokenRequest(RequestInterface $request, ResponseInterface */ public function grantAccessToken(RequestInterface $request, ResponseInterface $response) { - if (strtolower($request->server('REQUEST_METHOD')) != 'post') { + if (strtolower($request->server('REQUEST_METHOD')) === 'options') { + $response->addHttpHeaders(array('Allow' => 'POST, OPTIONS')); + + return null; + } + + if (strtolower($request->server('REQUEST_METHOD')) !== 'post') { $response->setError(405, 'invalid_request', 'The request method must be POST when requesting an access token', '#section-3.2'); - $response->addHttpHeaders(array('Allow' => 'POST')); + $response->addHttpHeaders(array('Allow' => 'POST, OPTIONS')); return null; } @@ -121,6 +148,7 @@ public function grantAccessToken(RequestInterface $request, ResponseInterface $r return null; } + /** @var GrantTypeInterface $grantType */ $grantType = $this->grantTypes[$grantTypeIdentifier]; /** @@ -128,8 +156,8 @@ public function grantAccessToken(RequestInterface $request, ResponseInterface $r * ClientAssertionTypes allow for grant types which also assert the client data * in which case ClientAssertion is handled in the validateRequest method * - * @see OAuth2\GrantType\JWTBearer - * @see OAuth2\GrantType\ClientCredentials + * @see \OAuth2\GrantType\JWTBearer + * @see \OAuth2\GrantType\ClientCredentials */ if (!$grantType instanceof ClientAssertionTypeInterface) { if (!$this->clientAssertionType->validateRequest($request, $response)) { @@ -178,7 +206,6 @@ public function grantAccessToken(RequestInterface $request, ResponseInterface $r * * @see http://tools.ietf.org/html/rfc6749#section-3.3 */ - $requestedScope = $this->scopeUtil->getScopeFromRequest($request); $availableScope = $grantType->getScope(); @@ -225,20 +252,24 @@ public function grantAccessToken(RequestInterface $request, ResponseInterface $r } /** - * addGrantType + * Add grant type * - * @param GrantTypeInterface $grantType the grant type to add for the specified identifier - * @param string $identifier a string passed in as "grant_type" in the response that will call this grantType + * @param GrantTypeInterface $grantType - the grant type to add for the specified identifier + * @param string|null $identifier - a string passed in as "grant_type" in the response that will call this grantType */ public function addGrantType(GrantTypeInterface $grantType, $identifier = null) { if (is_null($identifier) || is_numeric($identifier)) { - $identifier = $grantType->getQuerystringIdentifier(); + $identifier = $grantType->getQueryStringIdentifier(); } $this->grantTypes[$identifier] = $grantType; } + /** + * @param RequestInterface $request + * @param ResponseInterface $response + */ public function handleRevokeRequest(RequestInterface $request, ResponseInterface $response) { if ($this->revokeToken($request, $response)) { @@ -257,13 +288,20 @@ public function handleRevokeRequest(RequestInterface $request, ResponseInterface * * @param RequestInterface $request * @param ResponseInterface $response + * @throws RuntimeException * @return bool|null */ public function revokeToken(RequestInterface $request, ResponseInterface $response) { - if (strtolower($request->server('REQUEST_METHOD')) != 'post') { + if (strtolower($request->server('REQUEST_METHOD')) === 'options') { + $response->addHttpHeaders(array('Allow' => 'POST, OPTIONS')); + + return null; + } + + if (strtolower($request->server('REQUEST_METHOD')) !== 'post') { $response->setError(405, 'invalid_request', 'The request method must be POST when revoking an access token', '#section-3.2'); - $response->addHttpHeaders(array('Allow' => 'POST')); + $response->addHttpHeaders(array('Allow' => 'POST, OPTIONS')); return null; } @@ -285,7 +323,7 @@ public function revokeToken(RequestInterface $request, ResponseInterface $respon // @todo remove this check for v2.0 if (!method_exists($this->accessToken, 'revokeToken')) { $class = get_class($this->accessToken); - throw new \RuntimeException("AccessToken {$class} does not implement required revokeToken method"); + throw new RuntimeException("AccessToken {$class} does not implement required revokeToken method"); } $this->accessToken->revokeToken($token, $token_type_hint); diff --git a/src/OAuth2/Controller/TokenControllerInterface.php b/src/OAuth2/Controller/TokenControllerInterface.php index 72d72570f..2f83ce4bd 100644 --- a/src/OAuth2/Controller/TokenControllerInterface.php +++ b/src/OAuth2/Controller/TokenControllerInterface.php @@ -10,23 +10,30 @@ * it is called to handle all grant types the application supports. * It also validates the client's credentials * - * ex: - * > $tokenController->handleTokenRequest(OAuth2\Request::createFromGlobals(), $response = new OAuth2\Response()); - * > $response->send(); - * + * @code + * $tokenController->handleTokenRequest(OAuth2\Request::createFromGlobals(), $response = new OAuth2\Response()); + * $response->send(); + * @endcode */ interface TokenControllerInterface { /** - * handleTokenRequest - * - * @param $request - * OAuth2\RequestInterface - The current http request - * @param $response - * OAuth2\ResponseInterface - An instance of OAuth2\ResponseInterface to contain the response data + * Handle the token request * + * @param RequestInterface $request - The current http request + * @param ResponseInterface $response - An instance of OAuth2\ResponseInterface to contain the response data */ public function handleTokenRequest(RequestInterface $request, ResponseInterface $response); + /** + * Grant or deny a requested access token. + * This would be called from the "/token" endpoint as defined in the spec. + * You can call your endpoint whatever you want. + * + * @param RequestInterface $request - Request object to grant access token + * @param ResponseInterface $response - Response object + * + * @return mixed + */ public function grantAccessToken(RequestInterface $request, ResponseInterface $response); } diff --git a/src/OAuth2/Encryption/EncryptionInterface.php b/src/OAuth2/Encryption/EncryptionInterface.php index 2d336c664..8dc720a43 100644 --- a/src/OAuth2/Encryption/EncryptionInterface.php +++ b/src/OAuth2/Encryption/EncryptionInterface.php @@ -4,8 +4,31 @@ interface EncryptionInterface { + /** + * @param $payload + * @param $key + * @param null $algorithm + * @return mixed + */ public function encode($payload, $key, $algorithm = null); + + /** + * @param $payload + * @param $key + * @param null $algorithm + * @return mixed + */ public function decode($payload, $key, $algorithm = null); + + /** + * @param $data + * @return mixed + */ public function urlSafeB64Encode($data); + + /** + * @param $b64 + * @return mixed + */ public function urlSafeB64Decode($b64); } diff --git a/src/OAuth2/Encryption/Jwt.php b/src/OAuth2/Encryption/Jwt.php index ee576e643..c258b8fc3 100644 --- a/src/OAuth2/Encryption/Jwt.php +++ b/src/OAuth2/Encryption/Jwt.php @@ -2,12 +2,21 @@ namespace OAuth2\Encryption; +use Exception; +use InvalidArgumentException; + /** * @link https://github.com/F21/jwt * @author F21 */ class Jwt implements EncryptionInterface { + /** + * @param $payload + * @param $key + * @param string $algo + * @return string + */ public function encode($payload, $key, $algo = 'HS256') { $header = $this->generateJwtHeader($payload, $algo); @@ -25,6 +34,12 @@ public function encode($payload, $key, $algo = 'HS256') return implode('.', $segments); } + /** + * @param string $jwt + * @param null $key + * @param array|bool $allowedAlgorithms + * @return bool|mixed + */ public function decode($jwt, $key = null, $allowedAlgorithms = true) { if (!strpos($jwt, '.')) { @@ -67,6 +82,14 @@ public function decode($jwt, $key = null, $allowedAlgorithms = true) return $payload; } + /** + * @param $signature + * @param $input + * @param $key + * @param string $algo + * @return bool + * @throws InvalidArgumentException + */ private function verifySignature($signature, $input, $key, $algo = 'HS256') { // use constants when possible, for HipHop support @@ -89,10 +112,17 @@ private function verifySignature($signature, $input, $key, $algo = 'HS256') return @openssl_verify($input, $signature, $key, defined('OPENSSL_ALGO_SHA512') ? OPENSSL_ALGO_SHA512 : 'sha512') === 1; default: - throw new \InvalidArgumentException("Unsupported or invalid signing algorithm."); + throw new InvalidArgumentException("Unsupported or invalid signing algorithm."); } } + /** + * @param $input + * @param $key + * @param string $algo + * @return string + * @throws Exception + */ private function sign($input, $key, $algo = 'HS256') { switch ($algo) { @@ -115,19 +145,30 @@ private function sign($input, $key, $algo = 'HS256') return $this->generateRSASignature($input, $key, defined('OPENSSL_ALGO_SHA512') ? OPENSSL_ALGO_SHA512 : 'sha512'); default: - throw new \Exception("Unsupported or invalid signing algorithm."); + throw new Exception("Unsupported or invalid signing algorithm."); } } + /** + * @param $input + * @param $key + * @param string $algo + * @return mixed + * @throws Exception + */ private function generateRSASignature($input, $key, $algo) { if (!openssl_sign($input, $signature, $key, $algo)) { - throw new \Exception("Unable to sign data."); + throw new Exception("Unable to sign data."); } return $signature; } + /** + * @param string $data + * @return string + */ public function urlSafeB64Encode($data) { $b64 = base64_encode($data); @@ -138,6 +179,10 @@ public function urlSafeB64Encode($data) return $b64; } + /** + * @param string $b64 + * @return mixed|string + */ public function urlSafeB64Decode($b64) { $b64 = str_replace(array('-', '_'), @@ -158,6 +203,11 @@ protected function generateJwtHeader($payload, $algorithm) ); } + /** + * @param string $a + * @param string $b + * @return bool + */ protected function hash_equals($a, $b) { if (function_exists('hash_equals')) { @@ -170,4 +220,4 @@ protected function hash_equals($a, $b) return $diff === 0; } -} +} \ No newline at end of file diff --git a/src/OAuth2/GrantType/AuthorizationCode.php b/src/OAuth2/GrantType/AuthorizationCode.php index cae9f787d..784f6b3a3 100644 --- a/src/OAuth2/GrantType/AuthorizationCode.php +++ b/src/OAuth2/GrantType/AuthorizationCode.php @@ -6,29 +6,47 @@ use OAuth2\ResponseType\AccessTokenInterface; use OAuth2\RequestInterface; use OAuth2\ResponseInterface; +use Exception; /** - * * @author Brent Shaffer */ class AuthorizationCode implements GrantTypeInterface { + /** + * @var AuthorizationCodeInterface + */ protected $storage; + + /** + * @var array + */ protected $authCode; /** - * @param \OAuth2\Storage\AuthorizationCodeInterface $storage REQUIRED Storage class for retrieving authorization code information + * @param AuthorizationCodeInterface $storage - REQUIRED Storage class for retrieving authorization code information */ public function __construct(AuthorizationCodeInterface $storage) { $this->storage = $storage; } - public function getQuerystringIdentifier() + /** + * @return string + */ + public function getQueryStringIdentifier() { return 'authorization_code'; } + /** + * Validate the OAuth request + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @return bool + * @throws Exception + */ public function validateRequest(RequestInterface $request, ResponseInterface $response) { if (!$request->request('code')) { @@ -75,21 +93,45 @@ public function validateRequest(RequestInterface $request, ResponseInterface $re return true; } + /** + * Get the client id + * + * @return mixed + */ public function getClientId() { return $this->authCode['client_id']; } + /** + * Get the scope + * + * @return string + */ public function getScope() { return isset($this->authCode['scope']) ? $this->authCode['scope'] : null; } + /** + * Get the user id + * + * @return mixed + */ public function getUserId() { return isset($this->authCode['user_id']) ? $this->authCode['user_id'] : null; } + /** + * Create access token + * + * @param AccessTokenInterface $accessToken + * @param mixed $client_id - client identifier related to the access token. + * @param mixed $user_id - user id associated with the access token + * @param string $scope - scopes to be stored in space-separated string. + * @return array + */ public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope) { $token = $accessToken->createAccessToken($client_id, $user_id, $scope); diff --git a/src/OAuth2/GrantType/ClientCredentials.php b/src/OAuth2/GrantType/ClientCredentials.php index f953e4e8d..e135c2dd2 100644 --- a/src/OAuth2/GrantType/ClientCredentials.php +++ b/src/OAuth2/GrantType/ClientCredentials.php @@ -9,12 +9,19 @@ /** * @author Brent Shaffer * - * @see OAuth2\ClientAssertionType_HttpBasic + * @see HttpBasic */ class ClientCredentials extends HttpBasic implements GrantTypeInterface { + /** + * @var array + */ private $clientData; + /** + * @param ClientCredentialsInterface $storage + * @param array $config + */ public function __construct(ClientCredentialsInterface $storage, array $config = array()) { /** @@ -27,11 +34,21 @@ public function __construct(ClientCredentialsInterface $storage, array $config = parent::__construct($storage, $config); } - public function getQuerystringIdentifier() + /** + * Get query string identifier + * + * @return string + */ + public function getQueryStringIdentifier() { return 'client_credentials'; } + /** + * Get scope + * + * @return string|null + */ public function getScope() { $this->loadClientData(); @@ -39,6 +56,11 @@ public function getScope() return isset($this->clientData['scope']) ? $this->clientData['scope'] : null; } + /** + * Get user id + * + * @return mixed + */ public function getUserId() { $this->loadClientData(); @@ -46,6 +68,15 @@ public function getUserId() return isset($this->clientData['user_id']) ? $this->clientData['user_id'] : null; } + /** + * Create access token + * + * @param AccessTokenInterface $accessToken + * @param mixed $client_id - client identifier related to the access token. + * @param mixed $user_id - user id associated with the access token + * @param string $scope - scopes to be stored in space-separated string. + * @return array + */ public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope) { /** diff --git a/src/OAuth2/GrantType/GrantTypeInterface.php b/src/OAuth2/GrantType/GrantTypeInterface.php index 98489e9c1..f45786ff5 100644 --- a/src/OAuth2/GrantType/GrantTypeInterface.php +++ b/src/OAuth2/GrantType/GrantTypeInterface.php @@ -11,10 +11,49 @@ */ interface GrantTypeInterface { - public function getQuerystringIdentifier(); + /** + * Get query string identifier + * + * @return string + */ + public function getQueryStringIdentifier(); + + /** + * @param RequestInterface $request + * @param ResponseInterface $response + * @return mixed + */ public function validateRequest(RequestInterface $request, ResponseInterface $response); + + /** + * Get client id + * + * @return mixed + */ public function getClientId(); + + /** + * Get user id + * + * @return mixed + */ public function getUserId(); + + /** + * Get scope + * + * @return string|null + */ public function getScope(); + + /** + * Create access token + * + * @param AccessTokenInterface $accessToken + * @param mixed $client_id - client identifier related to the access token. + * @param mixed $user_id - user id associated with the access token + * @param string $scope - scopes to be stored in space-separated string. + * @return array + */ public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope); } diff --git a/src/OAuth2/GrantType/JwtBearer.php b/src/OAuth2/GrantType/JwtBearer.php index bb11a6954..62c1efabd 100644 --- a/src/OAuth2/GrantType/JwtBearer.php +++ b/src/OAuth2/GrantType/JwtBearer.php @@ -30,10 +30,12 @@ class JwtBearer implements GrantTypeInterface, ClientAssertionTypeInterface /** * Creates an instance of the JWT bearer grant type. * - * @param OAuth2\Storage\JWTBearerInterface|JwtBearerInterface $storage A valid storage interface that implements storage hooks for the JWT bearer grant type. - * @param string $audience The audience to validate the token against. This is usually the full URI of the OAuth token requests endpoint. - * @param EncryptionInterface|OAuth2\Encryption\JWT $jwtUtil OPTONAL The class used to decode, encode and verify JWTs. - * @param array $config + * @param JwtBearerInterface $storage - A valid storage interface that implements storage hooks for the JWT + * bearer grant type. + * @param string $audience - The audience to validate the token against. This is usually the full + * URI of the OAuth token requests endpoint. + * @param EncryptionInterface|JWT $jwtUtil - OPTONAL The class used to decode, encode and verify JWTs. + * @param array $config */ public function __construct(JwtBearerInterface $storage, $audience, EncryptionInterface $jwtUtil = null, array $config = array()) { @@ -56,12 +58,11 @@ public function __construct(JwtBearerInterface $storage, $audience, EncryptionIn /** * Returns the grant_type get parameter to identify the grant type request as JWT bearer authorization grant. * - * @return - * The string identifier for grant_type. + * @return string - The string identifier for grant_type. * - * @see OAuth2\GrantType\GrantTypeInterface::getQuerystringIdentifier() + * @see GrantTypeInterface::getQueryStringIdentifier() */ - public function getQuerystringIdentifier() + public function getQueryStringIdentifier() { return 'urn:ietf:params:oauth:grant-type:jwt-bearer'; } @@ -69,10 +70,9 @@ public function getQuerystringIdentifier() /** * Validates the data from the decoded JWT. * - * @return - * TRUE if the JWT request is valid and can be decoded. Otherwise, FALSE is returned. - * - * @see OAuth2\GrantType\GrantTypeInterface::getTokenData() + * @param RequestInterface $request + * @param ResponseInterface $response + * @return bool|mixed|null TRUE if the JWT request is valid and can be decoded. Otherwise, FALSE is returned.@see GrantTypeInterface::getTokenData() */ public function validateRequest(RequestInterface $request, ResponseInterface $response) { @@ -196,16 +196,31 @@ public function validateRequest(RequestInterface $request, ResponseInterface $re return true; } + /** + * Get client id + * + * @return mixed + */ public function getClientId() { return $this->jwt['iss']; } + /** + * Get user id + * + * @return mixed + */ public function getUserId() { return $this->jwt['sub']; } + /** + * Get scope + * + * @return null + */ public function getScope() { return null; @@ -215,7 +230,13 @@ public function getScope() * Creates an access token that is NOT associated with a refresh token. * If a subject (sub) the name of the user/account we are accessing data on behalf of. * - * @see OAuth2\GrantType\GrantTypeInterface::createAccessToken() + * @see GrantTypeInterface::createAccessToken() + * + * @param AccessTokenInterface $accessToken + * @param mixed $client_id - client identifier related to the access token. + * @param mixed $user_id - user id associated with the access token + * @param string $scope - scopes to be stored in space-separated string. + * @return array */ public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope) { diff --git a/src/OAuth2/GrantType/RefreshToken.php b/src/OAuth2/GrantType/RefreshToken.php index e55385222..75c611f1d 100644 --- a/src/OAuth2/GrantType/RefreshToken.php +++ b/src/OAuth2/GrantType/RefreshToken.php @@ -8,25 +8,34 @@ use OAuth2\ResponseInterface; /** - * * @author Brent Shaffer */ class RefreshToken implements GrantTypeInterface { + /** + * @var array + */ private $refreshToken; + /** + * @var RefreshTokenInterface + */ protected $storage; + + /** + * @var array + */ protected $config; /** - * @param OAuth2\Storage\RefreshTokenInterface $storage REQUIRED Storage class for retrieving refresh token information - * @param array $config OPTIONAL Configuration options for the server - * - * $config = array( - * 'always_issue_new_refresh_token' => true, // whether to issue a new refresh token upon successful token request - * 'unset_refresh_token_after_use' => true // whether to unset the refresh token after after using - * ); - * + * @param RefreshTokenInterface $storage - REQUIRED Storage class for retrieving refresh token information + * @param array $config - OPTIONAL Configuration options for the server + * @code + * $config = array( + * 'always_issue_new_refresh_token' => true, // whether to issue a new refresh token upon successful token request + * 'unset_refresh_token_after_use' => true // whether to unset the refresh token after after using + * ); + * @endcode */ public function __construct(RefreshTokenInterface $storage, $config = array()) { @@ -45,11 +54,21 @@ public function __construct(RefreshTokenInterface $storage, $config = array()) $this->storage = $storage; } - public function getQuerystringIdentifier() + /** + * @return string + */ + public function getQueryStringIdentifier() { return 'refresh_token'; } + /** + * Validate the OAuth request + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @return bool|mixed|null + */ public function validateRequest(RequestInterface $request, ResponseInterface $response) { if (!$request->request("refresh_token")) { @@ -76,21 +95,45 @@ public function validateRequest(RequestInterface $request, ResponseInterface $re return true; } + /** + * Get client id + * + * @return mixed + */ public function getClientId() { return $this->refreshToken['client_id']; } + /** + * Get user id + * + * @return mixed|null + */ public function getUserId() { return isset($this->refreshToken['user_id']) ? $this->refreshToken['user_id'] : null; } + /** + * Get scope + * + * @return null|string + */ public function getScope() { return isset($this->refreshToken['scope']) ? $this->refreshToken['scope'] : null; } + /** + * Create access token + * + * @param AccessTokenInterface $accessToken + * @param mixed $client_id - client identifier related to the access token. + * @param mixed $user_id - user id associated with the access token + * @param string $scope - scopes to be stored in space-separated string. + * @return array + */ public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope) { /* diff --git a/src/OAuth2/GrantType/UserCredentials.php b/src/OAuth2/GrantType/UserCredentials.php index f165538ba..b10c2dd09 100644 --- a/src/OAuth2/GrantType/UserCredentials.php +++ b/src/OAuth2/GrantType/UserCredentials.php @@ -6,30 +6,46 @@ use OAuth2\ResponseType\AccessTokenInterface; use OAuth2\RequestInterface; use OAuth2\ResponseInterface; +use LogicException; /** - * * @author Brent Shaffer */ class UserCredentials implements GrantTypeInterface { + /** + * @var array + */ private $userInfo; + /** + * @var UserCredentialsInterface + */ protected $storage; /** - * @param OAuth2\Storage\UserCredentialsInterface $storage REQUIRED Storage class for retrieving user credentials information + * @param UserCredentialsInterface $storage - REQUIRED Storage class for retrieving user credentials information */ public function __construct(UserCredentialsInterface $storage) { $this->storage = $storage; } - public function getQuerystringIdentifier() + /** + * @return string + */ + public function getQueryStringIdentifier() { return 'password'; } + /** + * @param RequestInterface $request + * @param ResponseInterface $response + * @return bool|mixed|null + * + * @throws LogicException + */ public function validateRequest(RequestInterface $request, ResponseInterface $response) { if (!$request->request("password") || !$request->request("username")) { @@ -61,21 +77,45 @@ public function validateRequest(RequestInterface $request, ResponseInterface $re return true; } + /** + * Get client id + * + * @return mixed|null + */ public function getClientId() { return null; } + /** + * Get user id + * + * @return mixed + */ public function getUserId() { return $this->userInfo['user_id']; } + /** + * Get scope + * + * @return null|string + */ public function getScope() { return isset($this->userInfo['scope']) ? $this->userInfo['scope'] : null; } + /** + * Create access token + * + * @param AccessTokenInterface $accessToken + * @param mixed $client_id - client identifier related to the access token. + * @param mixed $user_id - user id associated with the access token + * @param string $scope - scopes to be stored in space-separated string. + * @return array + */ public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope) { return $accessToken->createAccessToken($client_id, $user_id, $scope); diff --git a/src/OAuth2/OpenID/Controller/AuthorizeController.php b/src/OAuth2/OpenID/Controller/AuthorizeController.php index c9b5c6af7..54c5f9a63 100644 --- a/src/OAuth2/OpenID/Controller/AuthorizeController.php +++ b/src/OAuth2/OpenID/Controller/AuthorizeController.php @@ -11,8 +11,19 @@ */ class AuthorizeController extends BaseAuthorizeController implements AuthorizeControllerInterface { + /** + * @var mixed + */ private $nonce; + /** + * Set not authorized response + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @param string $redirect_uri + * @param null $user_id + */ protected function setNotAuthorizedResponse(RequestInterface $request, ResponseInterface $response, $redirect_uri, $user_id = null) { $prompt = $request->query('prompt', 'consent'); @@ -32,6 +43,14 @@ protected function setNotAuthorizedResponse(RequestInterface $request, ResponseI $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $this->getState(), $error, $error_message); } + /** + * @TODO: add dependency injection for the parameters in this method + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @param mixed $user_id + * @return array + */ protected function buildAuthorizeParameters($request, $response, $user_id) { if (!$params = parent::buildAuthorizeParameters($request, $response, $user_id)) { @@ -49,6 +68,11 @@ protected function buildAuthorizeParameters($request, $response, $user_id) return $params; } + /** + * @param RequestInterface $request + * @param ResponseInterface $response + * @return bool + */ public function validateAuthorizeRequest(RequestInterface $request, ResponseInterface $response) { if (!parent::validateAuthorizeRequest($request, $response)) { @@ -69,6 +93,11 @@ public function validateAuthorizeRequest(RequestInterface $request, ResponseInte return true; } + /** + * Array of valid response types + * + * @return array + */ protected function getValidResponseTypes() { return array( @@ -87,11 +116,8 @@ protected function getValidResponseTypes() * method checks whether OpenID Connect is enabled in the server settings * and whether the openid scope was requested. * - * @param $request_scope - * A space-separated string of scopes. - * - * @return - * TRUE if an id token is needed, FALSE otherwise. + * @param string $request_scope - A space-separated string of scopes. + * @return boolean - TRUE if an id token is needed, FALSE otherwise. */ public function needsIdToken($request_scope) { @@ -99,6 +125,9 @@ public function needsIdToken($request_scope) return $this->scopeUtil->checkScope('openid', $request_scope); } + /** + * @return mixed + */ public function getNonce() { return $this->nonce; diff --git a/src/OAuth2/OpenID/Controller/AuthorizeControllerInterface.php b/src/OAuth2/OpenID/Controller/AuthorizeControllerInterface.php index 1e231d844..b4967c317 100644 --- a/src/OAuth2/OpenID/Controller/AuthorizeControllerInterface.php +++ b/src/OAuth2/OpenID/Controller/AuthorizeControllerInterface.php @@ -5,6 +5,8 @@ interface AuthorizeControllerInterface { const RESPONSE_TYPE_ID_TOKEN = 'id_token'; + const RESPONSE_TYPE_ID_TOKEN_TOKEN = 'id_token token'; + const RESPONSE_TYPE_CODE_ID_TOKEN = 'code id_token'; } diff --git a/src/OAuth2/OpenID/Controller/UserInfoController.php b/src/OAuth2/OpenID/Controller/UserInfoController.php index 30cb942d0..c489b7af3 100644 --- a/src/OAuth2/OpenID/Controller/UserInfoController.php +++ b/src/OAuth2/OpenID/Controller/UserInfoController.php @@ -16,30 +16,34 @@ */ class UserInfoController extends ResourceController implements UserInfoControllerInterface { - private $token; - - protected $tokenType; - protected $tokenStorage; + /** + * @var UserClaimsInterface + */ protected $userClaimsStorage; - protected $config; - protected $scopeUtil; + /** + * Constructor + * + * @param TokenTypeInterface $tokenType + * @param AccessTokenInterface $tokenStorage + * @param UserClaimsInterface $userClaimsStorage + * @param array $config + * @param ScopeInterface $scopeUtil + */ public function __construct(TokenTypeInterface $tokenType, AccessTokenInterface $tokenStorage, UserClaimsInterface $userClaimsStorage, $config = array(), ScopeInterface $scopeUtil = null) { - $this->tokenType = $tokenType; - $this->tokenStorage = $tokenStorage; - $this->userClaimsStorage = $userClaimsStorage; - - $this->config = array_merge(array( - 'www_realm' => 'Service', - ), $config); + parent::__construct($tokenType, $tokenStorage, $config, $scopeUtil); - if (is_null($scopeUtil)) { - $scopeUtil = new Scope(); - } - $this->scopeUtil = $scopeUtil; + $this->userClaimsStorage = $userClaimsStorage; } + /** + * Handle the user info request + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @return void + */ public function handleUserInfoRequest(RequestInterface $request, ResponseInterface $response) { if (!$this->verifyResourceRequest($request, $response, 'openid')) { @@ -55,4 +59,4 @@ public function handleUserInfoRequest(RequestInterface $request, ResponseInterfa ); $response->addParameters($claims); } -} +} \ No newline at end of file diff --git a/src/OAuth2/OpenID/Controller/UserInfoControllerInterface.php b/src/OAuth2/OpenID/Controller/UserInfoControllerInterface.php index a89049d49..88e9228d0 100644 --- a/src/OAuth2/OpenID/Controller/UserInfoControllerInterface.php +++ b/src/OAuth2/OpenID/Controller/UserInfoControllerInterface.php @@ -9,15 +9,22 @@ * This controller is called when the user claims for OpenID Connect's * UserInfo endpoint should be returned. * - * ex: - * > $response = new OAuth2\Response(); - * > $userInfoController->handleUserInfoRequest( - * > OAuth2\Request::createFromGlobals(), - * > $response; - * > $response->send(); - * + * @code + * $response = new OAuth2\Response(); + * $userInfoController->handleUserInfoRequest( + * OAuth2\Request::createFromGlobals(), + * $response + * ); + * $response->send(); + * @endcode */ interface UserInfoControllerInterface { + /** + * Handle user info request + * + * @param RequestInterface $request + * @param ResponseInterface $response + */ public function handleUserInfoRequest(RequestInterface $request, ResponseInterface $response); } diff --git a/src/OAuth2/OpenID/GrantType/AuthorizationCode.php b/src/OAuth2/OpenID/GrantType/AuthorizationCode.php index 8ed1edc26..ee113a0e5 100644 --- a/src/OAuth2/OpenID/GrantType/AuthorizationCode.php +++ b/src/OAuth2/OpenID/GrantType/AuthorizationCode.php @@ -6,11 +6,19 @@ use OAuth2\ResponseType\AccessTokenInterface; /** - * * @author Brent Shaffer */ class AuthorizationCode extends BaseAuthorizationCode { + /** + * Create access token + * + * @param AccessTokenInterface $accessToken + * @param mixed $client_id - client identifier related to the access token. + * @param mixed $user_id - user id associated with the access token + * @param string $scope - scopes to be stored in space-separated string. + * @return array + */ public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope) { $includeRefreshToken = true; diff --git a/src/OAuth2/OpenID/ResponseType/AuthorizationCode.php b/src/OAuth2/OpenID/ResponseType/AuthorizationCode.php index 8971954c5..b8ad41ffb 100644 --- a/src/OAuth2/OpenID/ResponseType/AuthorizationCode.php +++ b/src/OAuth2/OpenID/ResponseType/AuthorizationCode.php @@ -6,16 +6,26 @@ use OAuth2\OpenID\Storage\AuthorizationCodeInterface as AuthorizationCodeStorageInterface; /** - * * @author Brent Shaffer */ class AuthorizationCode extends BaseAuthorizationCode implements AuthorizationCodeInterface { + /** + * Constructor + * + * @param AuthorizationCodeStorageInterface $storage + * @param array $config + */ public function __construct(AuthorizationCodeStorageInterface $storage, array $config = array()) { parent::__construct($storage, $config); } + /** + * @param $params + * @param null $user_id + * @return array + */ public function getAuthorizeResponse($params, $user_id = null) { // build the URL to redirect to @@ -35,18 +45,14 @@ public function getAuthorizeResponse($params, $user_id = null) /** * Handle the creation of the authorization code. * - * @param $client_id - * Client identifier related to the authorization code - * @param $user_id - * User ID associated with the authorization code - * @param $redirect_uri - * An absolute URI to which the authorization server will redirect the - * user-agent to when the end-user authorization step is completed. - * @param $scope - * (optional) Scopes to be stored in space-separated string. - * @param $id_token - * (optional) The OpenID Connect id_token. + * @param mixed $client_id - Client identifier related to the authorization code + * @param mixed $user_id - User ID associated with the authorization code + * @param string $redirect_uri - An absolute URI to which the authorization server will redirect the + * user-agent to when the end-user authorization step is completed. + * @param string $scope - OPTIONAL Scopes to be stored in space-separated string. + * @param string $id_token - OPTIONAL The OpenID Connect id_token. * + * @return string * @see http://tools.ietf.org/html/rfc6749#section-4 * @ingroup oauth2_section_4 */ diff --git a/src/OAuth2/OpenID/ResponseType/AuthorizationCodeInterface.php b/src/OAuth2/OpenID/ResponseType/AuthorizationCodeInterface.php index ea4779255..eb94ef077 100644 --- a/src/OAuth2/OpenID/ResponseType/AuthorizationCodeInterface.php +++ b/src/OAuth2/OpenID/ResponseType/AuthorizationCodeInterface.php @@ -5,7 +5,6 @@ use OAuth2\ResponseType\AuthorizationCodeInterface as BaseAuthorizationCodeInterface; /** - * * @author Brent Shaffer */ interface AuthorizationCodeInterface extends BaseAuthorizationCodeInterface @@ -13,12 +12,13 @@ interface AuthorizationCodeInterface extends BaseAuthorizationCodeInterface /** * Handle the creation of the authorization code. * - * @param $client_id Client identifier related to the authorization code - * @param $user_id User ID associated with the authorization code - * @param $redirect_uri An absolute URI to which the authorization server will redirect the - * user-agent to when the end-user authorization step is completed. - * @param $scope OPTIONAL Scopes to be stored in space-separated string. - * @param $id_token OPTIONAL The OpenID Connect id_token. + * @param mixed $client_id - Client identifier related to the authorization code + * @param mixed $user_id - User ID associated with the authorization code + * @param string $redirect_uri - An absolute URI to which the authorization server will redirect the + * user-agent to when the end-user authorization step is completed. + * @param string $scope - OPTIONAL Scopes to be stored in space-separated string. + * @param string $id_token - OPTIONAL The OpenID Connect id_token. + * @return string * * @see http://tools.ietf.org/html/rfc6749#section-4 * @ingroup oauth2_section_4 diff --git a/src/OAuth2/OpenID/ResponseType/CodeIdToken.php b/src/OAuth2/OpenID/ResponseType/CodeIdToken.php index ac7764d6c..2696ada37 100644 --- a/src/OAuth2/OpenID/ResponseType/CodeIdToken.php +++ b/src/OAuth2/OpenID/ResponseType/CodeIdToken.php @@ -4,15 +4,31 @@ class CodeIdToken implements CodeIdTokenInterface { + /** + * @var AuthorizationCodeInterface + */ protected $authCode; + + /** + * @var IdTokenInterface + */ protected $idToken; + /** + * @param AuthorizationCodeInterface $authCode + * @param IdTokenInterface $idToken + */ public function __construct(AuthorizationCodeInterface $authCode, IdTokenInterface $idToken) { $this->authCode = $authCode; $this->idToken = $idToken; } + /** + * @param array $params + * @param mixed $user_id + * @return mixed + */ public function getAuthorizeResponse($params, $user_id = null) { $result = $this->authCode->getAuthorizeResponse($params, $user_id); diff --git a/src/OAuth2/OpenID/ResponseType/IdToken.php b/src/OAuth2/OpenID/ResponseType/IdToken.php index 97777fbf2..55e446074 100644 --- a/src/OAuth2/OpenID/ResponseType/IdToken.php +++ b/src/OAuth2/OpenID/ResponseType/IdToken.php @@ -6,14 +6,38 @@ use OAuth2\Encryption\Jwt; use OAuth2\Storage\PublicKeyInterface; use OAuth2\OpenID\Storage\UserClaimsInterface; +use LogicException; class IdToken implements IdTokenInterface { + /** + * @var UserClaimsInterface + */ protected $userClaimsStorage; + /** + * @var PublicKeyInterface + */ protected $publicKeyStorage; + + /** + * @var array + */ protected $config; + + /** + * @var EncryptionInterface + */ protected $encryptionUtil; + /** + * Constructor + * + * @param UserClaimsInterface $userClaimsStorage + * @param PublicKeyInterface $publicKeyStorage + * @param array $config + * @param EncryptionInterface $encryptionUtil + * @throws LogicException + */ public function __construct(UserClaimsInterface $userClaimsStorage, PublicKeyInterface $publicKeyStorage, array $config = array(), EncryptionInterface $encryptionUtil = null) { $this->userClaimsStorage = $userClaimsStorage; @@ -24,13 +48,18 @@ public function __construct(UserClaimsInterface $userClaimsStorage, PublicKeyInt $this->encryptionUtil = $encryptionUtil; if (!isset($config['issuer'])) { - throw new \LogicException('config parameter "issuer" must be set'); + throw new LogicException('config parameter "issuer" must be set'); } $this->config = array_merge(array( 'id_lifetime' => 3600, ), $config); } + /** + * @param array $params + * @param null $userInfo + * @return array|mixed + */ public function getAuthorizeResponse($params, $userInfo = null) { // build the URL to redirect to @@ -50,6 +79,16 @@ public function getAuthorizeResponse($params, $userInfo = null) return array($params['redirect_uri'], $result); } + /** + * Create id token + * + * @param string $client_id + * @param mixed $userInfo + * @param mixed $nonce + * @param mixed $userClaims + * @param mixed $access_token + * @return mixed|string + */ public function createIdToken($client_id, $userInfo, $nonce = null, $userClaims = null, $access_token = null) { // pull auth_time from user info if supplied @@ -79,6 +118,11 @@ public function createIdToken($client_id, $userInfo, $nonce = null, $userClaims return $this->encodeToken($token, $client_id); } + /** + * @param $access_token + * @param null $client_id + * @return mixed|string + */ protected function createAtHash($access_token, $client_id = null) { // maps HS256 and RS256 to sha256, etc. @@ -90,6 +134,11 @@ protected function createAtHash($access_token, $client_id = null) return $this->encryptionUtil->urlSafeB64Encode($at_hash); } + /** + * @param array $token + * @param null $client_id + * @return mixed|string + */ protected function encodeToken(array $token, $client_id = null) { $private_key = $this->publicKeyStorage->getPrivateKey($client_id); @@ -98,6 +147,11 @@ protected function encodeToken(array $token, $client_id = null) return $this->encryptionUtil->encode($token, $private_key, $algorithm); } + /** + * @param $userInfo + * @return array + * @throws LogicException + */ private function getUserIdAndAuthTime($userInfo) { $auth_time = null; @@ -105,7 +159,7 @@ private function getUserIdAndAuthTime($userInfo) // support an array for user_id / auth_time if (is_array($userInfo)) { if (!isset($userInfo['user_id'])) { - throw new \LogicException('if $user_id argument is an array, user_id index must be set'); + throw new LogicException('if $user_id argument is an array, user_id index must be set'); } $auth_time = isset($userInfo['auth_time']) ? $userInfo['auth_time'] : null; diff --git a/src/OAuth2/OpenID/ResponseType/IdTokenInterface.php b/src/OAuth2/OpenID/ResponseType/IdTokenInterface.php index 0bd2f8391..226a3bcbb 100644 --- a/src/OAuth2/OpenID/ResponseType/IdTokenInterface.php +++ b/src/OAuth2/OpenID/ResponseType/IdTokenInterface.php @@ -15,12 +15,13 @@ interface IdTokenInterface extends ResponseTypeInterface * If the Implicit Flow is used, the token and id_token are generated and * returned together. * - * @param string $client_id The client id. - * @param string $user_id The user id. - * @param string $nonce OPTIONAL The nonce. - * @param string $userClaims OPTIONAL Claims about the user. - * @param string $access_token OPTIONAL The access token, if known. - * + * @param string $client_id - The client id. + * @param mixed $userInfo - User info + * @param string $nonce - OPTIONAL The nonce. + * @param string $userClaims - OPTIONAL Claims about the user. + * @param string $access_token - OPTIONAL The access token, if known. + + * @internal param string $user_id - The user id. * @return string The ID Token represented as a JSON Web Token (JWT). * * @see http://openid.net/specs/openid-connect-core-1_0.html#IDToken diff --git a/src/OAuth2/OpenID/ResponseType/IdTokenToken.php b/src/OAuth2/OpenID/ResponseType/IdTokenToken.php index f0c59799b..94c51ae4d 100644 --- a/src/OAuth2/OpenID/ResponseType/IdTokenToken.php +++ b/src/OAuth2/OpenID/ResponseType/IdTokenToken.php @@ -6,15 +6,33 @@ class IdTokenToken implements IdTokenTokenInterface { + /** + * @var AccessTokenInterface + */ protected $accessToken; + + /** + * @var IdTokenInterface + */ protected $idToken; + /** + * Constructor + * + * @param AccessTokenInterface $accessToken + * @param IdTokenInterface $idToken + */ public function __construct(AccessTokenInterface $accessToken, IdTokenInterface $idToken) { $this->accessToken = $accessToken; $this->idToken = $idToken; } + /** + * @param array $params + * @param mixed $user_id + * @return mixed + */ public function getAuthorizeResponse($params, $user_id = null) { $result = $this->accessToken->getAuthorizeResponse($params, $user_id); diff --git a/src/OAuth2/OpenID/Storage/AuthorizationCodeInterface.php b/src/OAuth2/OpenID/Storage/AuthorizationCodeInterface.php index 51dd867ec..446cec928 100644 --- a/src/OAuth2/OpenID/Storage/AuthorizationCodeInterface.php +++ b/src/OAuth2/OpenID/Storage/AuthorizationCodeInterface.php @@ -23,13 +23,13 @@ interface AuthorizationCodeInterface extends BaseAuthorizationCodeInterface * * Required for OAuth2::GRANT_TYPE_AUTH_CODE. * - * @param $code authorization code to be stored. - * @param $client_id client identifier to be stored. - * @param $user_id user identifier to be stored. - * @param string $redirect_uri redirect URI(s) to be stored in a space-separated string. - * @param int $expires expiration to be stored as a Unix timestamp. - * @param string $scope OPTIONAL scopes to be stored in space-separated string. - * @param string $id_token OPTIONAL the OpenID Connect id_token. + * @param string $code - authorization code to be stored. + * @param mixed $client_id - client identifier to be stored. + * @param mixed $user_id - user identifier to be stored. + * @param string $redirect_uri - redirect URI(s) to be stored in a space-separated string. + * @param int $expires - expiration to be stored as a Unix timestamp. + * @param string $scope - OPTIONAL scopes to be stored in space-separated string. + * @param string $id_token - OPTIONAL the OpenID Connect id_token. * * @ingroup oauth2_section_4 */ diff --git a/src/OAuth2/OpenID/Storage/UserClaimsInterface.php b/src/OAuth2/OpenID/Storage/UserClaimsInterface.php index f230bef9e..9c5e7c8c4 100644 --- a/src/OAuth2/OpenID/Storage/UserClaimsInterface.php +++ b/src/OAuth2/OpenID/Storage/UserClaimsInterface.php @@ -23,14 +23,11 @@ interface UserClaimsInterface * Groups of claims are returned based on the requested scopes. No group * is required, and no claim is required. * - * @param $user_id - * The id of the user for which claims should be returned. - * @param $scope - * The requested scope. + * @param mixed $user_id - The id of the user for which claims should be returned. + * @param string $scope - The requested scope. * Scopes with matching claims: profile, email, address, phone. * - * @return - * An array in the claim => value format. + * @return array - An array in the claim => value format. * * @see http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims */ diff --git a/src/OAuth2/Request.php b/src/OAuth2/Request.php index c92cee821..c96cb972f 100644 --- a/src/OAuth2/Request.php +++ b/src/OAuth2/Request.php @@ -2,6 +2,8 @@ namespace OAuth2; +use LogicException; + /** * OAuth2\Request * This class is taken from the Symfony2 Framework and is part of the Symfony package. @@ -21,13 +23,14 @@ class Request implements RequestInterface /** * Constructor. * - * @param array $query The GET parameters - * @param array $request The POST parameters - * @param array $attributes The request attributes (parameters parsed from the PATH_INFO, ...) - * @param array $cookies The COOKIE parameters - * @param array $files The FILES parameters - * @param array $server The SERVER parameters - * @param string $content The raw body data + * @param array $query - The GET parameters + * @param array $request - The POST parameters + * @param array $attributes - The request attributes (parameters parsed from the PATH_INFO, ...) + * @param array $cookies - The COOKIE parameters + * @param array $files - The FILES parameters + * @param array $server - The SERVER parameters + * @param string $content - The raw body data + * @param array $headers - The headers * * @api */ @@ -41,13 +44,14 @@ public function __construct(array $query = array(), array $request = array(), ar * * This method also re-initializes all properties. * - * @param array $query The GET parameters - * @param array $request The POST parameters - * @param array $attributes The request attributes (parameters parsed from the PATH_INFO, ...) - * @param array $cookies The COOKIE parameters - * @param array $files The FILES parameters - * @param array $server The SERVER parameters - * @param string $content The raw body data + * @param array $query - The GET parameters + * @param array $request - The POST parameters + * @param array $attributes - The request attributes (parameters parsed from the PATH_INFO, ...) + * @param array $cookies - The COOKIE parameters + * @param array $files - The FILES parameters + * @param array $server - The SERVER parameters + * @param string $content - The raw body data + * @param array $headers - The headers * * @api */ @@ -63,21 +67,41 @@ public function initialize(array $query = array(), array $request = array(), arr $this->headers = is_null($headers) ? $this->getHeadersFromServer($this->server) : $headers; } + /** + * @param string $name + * @param mixed $default + * @return mixed + */ public function query($name, $default = null) { return isset($this->query[$name]) ? $this->query[$name] : $default; } + /** + * @param string $name + * @param mixed $default + * @return mixed + */ public function request($name, $default = null) { return isset($this->request[$name]) ? $this->request[$name] : $default; } + /** + * @param string $name + * @param mixed $default + * @return mixed + */ public function server($name, $default = null) { return isset($this->server[$name]) ? $this->server[$name] : $default; } + /** + * @param string $name + * @param mixed $default + * @return mixed + */ public function headers($name, $default = null) { $headers = array_change_key_case($this->headers); @@ -86,6 +110,9 @@ public function headers($name, $default = null) return isset($headers[$name]) ? $headers[$name] : $default; } + /** + * @return array + */ public function getAllQueryParameters() { return $this->query; @@ -94,14 +121,15 @@ public function getAllQueryParameters() /** * Returns the request body content. * - * @param Boolean $asResource If true, a resource will be returned + * @param boolean $asResource - If true, a resource will be returned + * @return string|resource - The request body content or a resource to read the body stream. * - * @return string|resource The request body content or a resource to read the body stream. + * @throws LogicException */ public function getContent($asResource = false) { if (false === $this->content || (true === $asResource && null !== $this->content)) { - throw new \LogicException('getContent() can only be called once when using the resource return type.'); + throw new LogicException('getContent() can only be called once when using the resource return type.'); } if (true === $asResource) { @@ -117,6 +145,10 @@ public function getContent($asResource = false) return $this->content; } + /** + * @param array $server + * @return array + */ private function getHeadersFromServer($server) { $headers = array(); @@ -185,13 +217,15 @@ private function getHeadersFromServer($server) /** * Creates a new request with values from PHP's super globals. * - * @return Request A new request + * @return Request - A new request * * @api */ public static function createFromGlobals() { $class = get_called_class(); + + /** @var Request $request */ $request = new $class($_GET, $_POST, array(), $_COOKIE, $_FILES, $_SERVER); $contentType = $request->server('CONTENT_TYPE', ''); diff --git a/src/OAuth2/RequestInterface.php b/src/OAuth2/RequestInterface.php index 8a70d5fad..1d036b735 100644 --- a/src/OAuth2/RequestInterface.php +++ b/src/OAuth2/RequestInterface.php @@ -4,13 +4,36 @@ interface RequestInterface { + /** + * @param string $name + * @param mixed $default + * @return mixed + */ public function query($name, $default = null); + /** + * @param string $name + * @param mixed $default + * @return mixed + */ public function request($name, $default = null); + /** + * @param string $name + * @param mixed $default + * @return mixed + */ public function server($name, $default = null); + /** + * @param string $name + * @param mixed $default + * @return mixed + */ public function headers($name, $default = null); + /** + * @return mixed + */ public function getAllQueryParameters(); } diff --git a/src/OAuth2/Response.php b/src/OAuth2/Response.php index fc1e62a98..ccd797ae7 100644 --- a/src/OAuth2/Response.php +++ b/src/OAuth2/Response.php @@ -2,6 +2,8 @@ namespace OAuth2; +use InvalidArgumentException; + /** * Class to handle OAuth2 Responses in a graceful way. Use this interface * to output the proper OAuth2 responses. @@ -13,12 +15,34 @@ */ class Response implements ResponseInterface { + /** + * @var string + */ public $version; + + /** + * @var int + */ protected $statusCode = 200; + + /** + * @var string + */ protected $statusText; + + /** + * @var array + */ protected $parameters = array(); + + /** + * @var array + */ protected $httpHeaders = array(); + /** + * @var array + */ public static $statusTexts = array( 100 => 'Continue', 101 => 'Switching Protocols', @@ -63,6 +87,11 @@ class Response implements ResponseInterface 505 => 'HTTP Version Not Supported', ); + /** + * @param array $parameters + * @param int $statusCode + * @param array $headers + */ public function __construct($parameters = array(), $statusCode = 200, $headers = array()) { $this->setParameters($parameters); @@ -102,76 +131,128 @@ protected function buildHeader($name, $value) return sprintf("%s: %s\n", $name, $value); } + /** + * @return int + */ public function getStatusCode() { return $this->statusCode; } + /** + * @param int $statusCode + * @param string $text + * @throws InvalidArgumentException + */ public function setStatusCode($statusCode, $text = null) { $this->statusCode = (int) $statusCode; if ($this->isInvalid()) { - throw new \InvalidArgumentException(sprintf('The HTTP status code "%s" is not valid.', $statusCode)); + throw new InvalidArgumentException(sprintf('The HTTP status code "%s" is not valid.', $statusCode)); } $this->statusText = false === $text ? '' : (null === $text ? self::$statusTexts[$this->statusCode] : $text); } + /** + * @return string + */ public function getStatusText() { return $this->statusText; } + /** + * @return array + */ public function getParameters() { return $this->parameters; } + /** + * @param array $parameters + */ public function setParameters(array $parameters) { $this->parameters = $parameters; } + /** + * @param array $parameters + */ public function addParameters(array $parameters) { $this->parameters = array_merge($this->parameters, $parameters); } + /** + * @param string $name + * @param mixed $default + * @return mixed + */ public function getParameter($name, $default = null) { return isset($this->parameters[$name]) ? $this->parameters[$name] : $default; } + /** + * @param string $name + * @param mixed $value + */ public function setParameter($name, $value) { $this->parameters[$name] = $value; } + /** + * @param array $httpHeaders + */ public function setHttpHeaders(array $httpHeaders) { $this->httpHeaders = $httpHeaders; } + /** + * @param string $name + * @param mixed $value + */ public function setHttpHeader($name, $value) { $this->httpHeaders[$name] = $value; } + /** + * @param array $httpHeaders + */ public function addHttpHeaders(array $httpHeaders) { $this->httpHeaders = array_merge($this->httpHeaders, $httpHeaders); } + /** + * @return array + */ public function getHttpHeaders() { return $this->httpHeaders; } + /** + * @param string $name + * @param mixed $default + * @return mixed + */ public function getHttpHeader($name, $default = null) { return isset($this->httpHeaders[$name]) ? $this->httpHeaders[$name] : $default; } + /** + * @param string $format + * @return mixed + * @throws InvalidArgumentException + */ public function getResponseBody($format = 'json') { switch ($format) { @@ -187,10 +268,13 @@ public function getResponseBody($format = 'json') return $xml->asXML(); } - throw new \InvalidArgumentException(sprintf('The format %s is not supported', $format)); + throw new InvalidArgumentException(sprintf('The format %s is not supported', $format)); } + /** + * @param string $format + */ public function send($format = 'json') { // headers have already been sent by the developer @@ -215,6 +299,14 @@ public function send($format = 'json') echo $this->getResponseBody($format); } + /** + * @param int $statusCode + * @param string $error + * @param string $errorDescription + * @param string $errorUri + * @return mixed + * @throws InvalidArgumentException + */ public function setError($statusCode, $error, $errorDescription = null, $errorUri = null) { $parameters = array( @@ -239,14 +331,24 @@ public function setError($statusCode, $error, $errorDescription = null, $errorUr $this->addHttpHeaders($httpHeaders); if (!$this->isClientError() && !$this->isServerError()) { - throw new \InvalidArgumentException(sprintf('The HTTP status code is not an error ("%s" given).', $statusCode)); + throw new InvalidArgumentException(sprintf('The HTTP status code is not an error ("%s" given).', $statusCode)); } } + /** + * @param int $statusCode + * @param string $url + * @param string $state + * @param string $error + * @param string $errorDescription + * @param string $errorUri + * @return mixed + * @throws InvalidArgumentException + */ public function setRedirect($statusCode, $url, $state = null, $error = null, $errorDescription = null, $errorUri = null) { if (empty($url)) { - throw new \InvalidArgumentException('Cannot redirect to an empty URL.'); + throw new InvalidArgumentException('Cannot redirect to an empty URL.'); } $parameters = array(); @@ -271,15 +373,16 @@ public function setRedirect($statusCode, $url, $state = null, $error = null, $er $this->addHttpHeaders(array('Location' => $url)); if (!$this->isRedirection()) { - throw new \InvalidArgumentException(sprintf('The HTTP status code is not a redirect ("%s" given).', $statusCode)); + throw new InvalidArgumentException(sprintf('The HTTP status code is not a redirect ("%s" given).', $statusCode)); } } - // http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html /** * @return Boolean * * @api + * + * @see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html */ public function isInvalid() { @@ -336,8 +439,11 @@ public function isServerError() return $this->statusCode >= 500 && $this->statusCode < 600; } - /* - * Functions from Symfony2 HttpFoundation - output pretty header + /** + * Function from Symfony2 HttpFoundation - output pretty header + * + * @param array $headers + * @return string */ private function getHttpHeadersAsString($headers) { @@ -357,11 +463,23 @@ private function getHttpHeadersAsString($headers) return $content; } + /** + * Function from Symfony2 HttpFoundation - output pretty header + * + * @param string $name + * @return mixed + */ private function beautifyHeaderName($name) { return preg_replace_callback('/\-(.)/', array($this, 'beautifyCallback'), ucfirst($name)); } + /** + * Function from Symfony2 HttpFoundation - output pretty header + * + * @param array $match + * @return string + */ private function beautifyCallback($match) { return '-'.strtoupper($match[1]); diff --git a/src/OAuth2/ResponseInterface.php b/src/OAuth2/ResponseInterface.php index c99b5f7d1..fe920864a 100644 --- a/src/OAuth2/ResponseInterface.php +++ b/src/OAuth2/ResponseInterface.php @@ -6,19 +6,48 @@ * Interface which represents an object response. Meant to handle and display the proper OAuth2 Responses * for errors and successes * - * @see OAuth2\Response + * @see \OAuth2\Response */ interface ResponseInterface { + /** + * @param array $parameters + */ public function addParameters(array $parameters); + /** + * @param array $httpHeaders + */ public function addHttpHeaders(array $httpHeaders); + /** + * @param int $statusCode + */ public function setStatusCode($statusCode); + /** + * @param int $statusCode + * @param string $name + * @param string $description + * @param string $uri + * @return mixed + */ public function setError($statusCode, $name, $description = null, $uri = null); + /** + * @param int $statusCode + * @param string $url + * @param string $state + * @param string $error + * @param string $errorDescription + * @param string $errorUri + * @return mixed + */ public function setRedirect($statusCode, $url, $state = null, $error = null, $errorDescription = null, $errorUri = null); + /** + * @param string $name + * @return mixed + */ public function getParameter($name); } diff --git a/src/OAuth2/ResponseType/AccessToken.php b/src/OAuth2/ResponseType/AccessToken.php index 98f51218f..e836a3447 100644 --- a/src/OAuth2/ResponseType/AccessToken.php +++ b/src/OAuth2/ResponseType/AccessToken.php @@ -4,28 +4,39 @@ use OAuth2\Storage\AccessTokenInterface as AccessTokenStorageInterface; use OAuth2\Storage\RefreshTokenInterface; +use RuntimeException; /** - * * @author Brent Shaffer */ class AccessToken implements AccessTokenInterface { + /** + * @var AccessTokenInterface + */ protected $tokenStorage; + + /** + * @var RefreshTokenInterface + */ protected $refreshStorage; + + /** + * @var array + */ protected $config; /** - * @param OAuth2\Storage\AccessTokenInterface $tokenStorage REQUIRED Storage class for saving access token information - * @param OAuth2\Storage\RefreshTokenInterface $refreshStorage OPTIONAL Storage class for saving refresh token information - * @param array $config OPTIONAL Configuration options for the server - * - * $config = array( - * 'token_type' => 'bearer', // token type identifier - * 'access_lifetime' => 3600, // time before access token expires - * 'refresh_token_lifetime' => 1209600, // time before refresh token expires - * ); - * + * @param AccessTokenStorageInterface $tokenStorage - REQUIRED Storage class for saving access token information + * @param RefreshTokenInterface $refreshStorage - OPTIONAL Storage class for saving refresh token information + * @param array $config - OPTIONAL Configuration options for the server + * @code + * $config = array( + * 'token_type' => 'bearer', // token type identifier + * 'access_lifetime' => 3600, // time before access token expires + * 'refresh_token_lifetime' => 1209600, // time before refresh token expires + * ); + * @endcode */ public function __construct(AccessTokenStorageInterface $tokenStorage, RefreshTokenInterface $refreshStorage = null, array $config = array()) { @@ -39,6 +50,13 @@ public function __construct(AccessTokenStorageInterface $tokenStorage, RefreshTo ), $config); } + /** + * Get authorize response + * + * @param array $params + * @param mixed $user_id + * @return array + */ public function getAuthorizeResponse($params, $user_id = null) { // build the URL to redirect to @@ -64,10 +82,11 @@ public function getAuthorizeResponse($params, $user_id = null) /** * Handle the creation of access token, also issue refresh token if supported / desirable. * - * @param $client_id client identifier related to the access token. - * @param $user_id user ID associated with the access token - * @param $scope OPTIONAL scopes to be stored in space-separated string. - * @param bool $includeRefreshToken if true, a new refresh_token will be added to the response + * @param mixed $client_id - client identifier related to the access token. + * @param mixed $user_id - user ID associated with the access token + * @param string $scope - OPTIONAL scopes to be stored in space-separated string. + * @param bool $includeRefreshToken - if true, a new refresh_token will be added to the response + * @return array * * @see http://tools.ietf.org/html/rfc6749#section-5 * @ingroup oauth2_section_5 @@ -107,13 +126,18 @@ public function createAccessToken($client_id, $user_id, $scope = null, $includeR * Implementing classes may want to override this function to implement * other access token generation schemes. * - * @return - * An unique access token. + * @return string - A unique access token. * * @ingroup oauth2_section_4 */ protected function generateAccessToken() { + if (function_exists('random_bytes')) { + $randomData = random_bytes(20); + if ($randomData !== false && strlen($randomData) === 20) { + return bin2hex($randomData); + } + } if (function_exists('openssl_random_pseudo_bytes')) { $randomData = openssl_random_pseudo_bytes(20); if ($randomData !== false && strlen($randomData) === 20) { @@ -144,8 +168,7 @@ protected function generateAccessToken() * Implementing classes may want to override this function to implement * other refresh token generation schemes. * - * @return - * An unique refresh. + * @return string - A unique refresh token. * * @ingroup oauth2_section_4 * @see OAuth2::generateAccessToken() @@ -162,6 +185,7 @@ protected function generateRefreshToken() * * @param $token * @param null $tokenTypeHint + * @throws RuntimeException * @return boolean */ public function revokeToken($token, $tokenTypeHint = null) @@ -174,7 +198,7 @@ public function revokeToken($token, $tokenTypeHint = null) /** @TODO remove in v2 */ if (!method_exists($this->tokenStorage, 'unsetAccessToken')) { - throw new \RuntimeException( + throw new RuntimeException( sprintf('Token storage %s must implement unsetAccessToken method', get_class($this->tokenStorage) )); } diff --git a/src/OAuth2/ResponseType/AccessTokenInterface.php b/src/OAuth2/ResponseType/AccessTokenInterface.php index 4bd3928d8..0e576df52 100644 --- a/src/OAuth2/ResponseType/AccessTokenInterface.php +++ b/src/OAuth2/ResponseType/AccessTokenInterface.php @@ -3,7 +3,6 @@ namespace OAuth2\ResponseType; /** - * * @author Brent Shaffer */ interface AccessTokenInterface extends ResponseTypeInterface @@ -11,10 +10,10 @@ interface AccessTokenInterface extends ResponseTypeInterface /** * Handle the creation of access token, also issue refresh token if supported / desirable. * - * @param $client_id client identifier related to the access token. - * @param $user_id user ID associated with the access token - * @param $scope OPTONAL scopes to be stored in space-separated string. - * @param bool $includeRefreshToken if true, a new refresh_token will be added to the response + * @param mixed $client_id - client identifier related to the access token. + * @param mixed $user_id - user ID associated with the access token + * @param string $scope - OPTONAL scopes to be stored in space-separated string. + * @param bool $includeRefreshToken - if true, a new refresh_token will be added to the response * * @see http://tools.ietf.org/html/rfc6749#section-5 * @ingroup oauth2_section_5 @@ -31,4 +30,4 @@ public function createAccessToken($client_id, $user_id, $scope = null, $includeR * @todo v2.0 include this method in interface. Omitted to maintain BC in v1.x */ //public function revokeToken($token, $tokenTypeHint); -} +} \ No newline at end of file diff --git a/src/OAuth2/ResponseType/AuthorizationCode.php b/src/OAuth2/ResponseType/AuthorizationCode.php index 52aeb4be5..b92c73cda 100644 --- a/src/OAuth2/ResponseType/AuthorizationCode.php +++ b/src/OAuth2/ResponseType/AuthorizationCode.php @@ -5,7 +5,6 @@ use OAuth2\Storage\AuthorizationCodeInterface as AuthorizationCodeStorageInterface; /** - * * @author Brent Shaffer */ class AuthorizationCode implements AuthorizationCodeInterface @@ -85,7 +84,9 @@ public function enforceRedirect() protected function generateAuthorizationCode() { $tokenLen = 40; - if (function_exists('openssl_random_pseudo_bytes')) { + if (function_exists('random_bytes')) { + $randomData = random_bytes(100); + } elseif (function_exists('openssl_random_pseudo_bytes')) { $randomData = openssl_random_pseudo_bytes(100); } elseif (function_exists('mcrypt_create_iv')) { $randomData = mcrypt_create_iv(100, MCRYPT_DEV_URANDOM); diff --git a/src/OAuth2/ResponseType/AuthorizationCodeInterface.php b/src/OAuth2/ResponseType/AuthorizationCodeInterface.php index df777e221..4f0a29df4 100644 --- a/src/OAuth2/ResponseType/AuthorizationCodeInterface.php +++ b/src/OAuth2/ResponseType/AuthorizationCodeInterface.php @@ -3,7 +3,6 @@ namespace OAuth2\ResponseType; /** - * * @author Brent Shaffer */ interface AuthorizationCodeInterface extends ResponseTypeInterface @@ -17,11 +16,12 @@ public function enforceRedirect(); /** * Handle the creation of the authorization code. * - * @param $client_id client identifier related to the authorization code - * @param $user_id user id associated with the authorization code - * @param $redirect_uri an absolute URI to which the authorization server will redirect the - * user-agent to when the end-user authorization step is completed. - * @param $scope OPTIONAL scopes to be stored in space-separated string. + * @param mixed $client_id - Client identifier related to the authorization code + * @param mixed $user_id - User ID associated with the authorization code + * @param string $redirect_uri - An absolute URI to which the authorization server will redirect the + * user-agent to when the end-user authorization step is completed. + * @param string $scope - OPTIONAL Scopes to be stored in space-separated string. + * @return string * * @see http://tools.ietf.org/html/rfc6749#section-4 * @ingroup oauth2_section_4 diff --git a/src/OAuth2/ResponseType/JwtAccessToken.php b/src/OAuth2/ResponseType/JwtAccessToken.php index 3942fe41e..0af9705ff 100644 --- a/src/OAuth2/ResponseType/JwtAccessToken.php +++ b/src/OAuth2/ResponseType/JwtAccessToken.php @@ -10,7 +10,6 @@ use OAuth2\Storage\Memory; /** - * * @author Brent Shaffer */ class JwtAccessToken extends AccessToken @@ -19,10 +18,13 @@ class JwtAccessToken extends AccessToken protected $encryptionUtil; /** - * @param $config - * - store_encrypted_token_string (bool true) - * whether the entire encrypted string is stored, - * or just the token ID is stored + * @param PublicKeyInterface $publicKeyStorage - + * @param AccessTokenStorageInterface $tokenStorage - + * @param RefreshTokenInterface $refreshStorage - + * @param array $config - array with key store_encrypted_token_string (bool true) + * whether the entire encrypted string is stored, + * or just the token ID is stored + * @param EncryptionInterface $encryptionUtil - */ public function __construct(PublicKeyInterface $publicKeyStorage = null, AccessTokenStorageInterface $tokenStorage = null, RefreshTokenInterface $refreshStorage = null, array $config = array(), EncryptionInterface $encryptionUtil = null) { @@ -45,46 +47,31 @@ public function __construct(PublicKeyInterface $publicKeyStorage = null, AccessT /** * Handle the creation of access token, also issue refresh token if supported / desirable. * - * @param $client_id - * Client identifier related to the access token. - * @param $user_id - * User ID associated with the access token - * @param $scope - * (optional) Scopes to be stored in space-separated string. - * @param bool $includeRefreshToken - * If true, a new refresh_token will be added to the response + * @param mixed $client_id - Client identifier related to the access token. + * @param mixed $user_id - User ID associated with the access token + * @param string $scope - (optional) Scopes to be stored in space-separated string. + * @param bool $includeRefreshToken - If true, a new refresh_token will be added to the response + * @return array - The access token * * @see http://tools.ietf.org/html/rfc6749#section-5 * @ingroup oauth2_section_5 */ public function createAccessToken($client_id, $user_id, $scope = null, $includeRefreshToken = true) { - // token to encrypt - $expires = time() + $this->config['access_lifetime']; - $id = $this->generateAccessToken(); - $jwtAccessToken = array( - 'id' => $id, // for BC (see #591) - 'jti' => $id, - 'iss' => $this->config['issuer'], - 'aud' => $client_id, - 'sub' => $user_id, - 'exp' => $expires, - 'iat' => time(), - 'token_type' => $this->config['token_type'], - 'scope' => $scope - ); + // payload to encrypt + $payload = $this->createPayload($client_id, $user_id, $scope); /* - * Encode the token data into a single access_token string + * Encode the payload data into a single JWT access_token string */ - $access_token = $this->encodeToken($jwtAccessToken, $client_id); + $access_token = $this->encodeToken($payload, $client_id); /* * Save the token to a secondary storage. This is implemented on the * OAuth2\Storage\JwtAccessToken side, and will not actually store anything, * if no secondary storage has been supplied */ - $token_to_store = $this->config['store_encrypted_token_string'] ? $access_token : $jwtAccessToken['id']; + $token_to_store = $this->config['store_encrypted_token_string'] ? $access_token : $payload['id']; $this->tokenStorage->setAccessToken($token_to_store, $client_id, $user_id, $this->config['access_lifetime'] ? time() + $this->config['access_lifetime'] : null, $scope); // token to return to the client @@ -114,6 +101,11 @@ public function createAccessToken($client_id, $user_id, $scope = null, $includeR return $token; } + /** + * @param array $token + * @param mixed $client_id + * @return mixed + */ protected function encodeToken(array $token, $client_id = null) { $private_key = $this->publicKeyStorage->getPrivateKey($client_id); @@ -121,4 +113,31 @@ protected function encodeToken(array $token, $client_id = null) return $this->encryptionUtil->encode($token, $private_key, $algorithm); } + + /** + * This function can be used to create custom JWT payloads + * + * @param mixed $client_id - Client identifier related to the access token. + * @param mixed $user_id - User ID associated with the access token + * @param string $scope - (optional) Scopes to be stored in space-separated string. + * @return array - The access token + */ + protected function createPayload($client_id, $user_id, $scope = null) + { + // token to encrypt + $expires = time() + $this->config['access_lifetime']; + $id = $this->generateAccessToken(); + + return array( + 'id' => $id, // for BC (see #591) + 'jti' => $id, + 'iss' => $this->config['issuer'], + 'aud' => $client_id, + 'sub' => $user_id, + 'exp' => $expires, + 'iat' => time(), + 'token_type' => $this->config['token_type'], + 'scope' => $scope + ); + } } diff --git a/src/OAuth2/ResponseType/ResponseTypeInterface.php b/src/OAuth2/ResponseType/ResponseTypeInterface.php index f8e26a5b0..a27156580 100644 --- a/src/OAuth2/ResponseType/ResponseTypeInterface.php +++ b/src/OAuth2/ResponseType/ResponseTypeInterface.php @@ -4,5 +4,10 @@ interface ResponseTypeInterface { + /** + * @param array $params + * @param mixed $user_id + * @return mixed + */ public function getAuthorizeResponse($params, $user_id = null); } diff --git a/src/OAuth2/Scope.php b/src/OAuth2/Scope.php index c44350bfd..3ba6e5328 100644 --- a/src/OAuth2/Scope.php +++ b/src/OAuth2/Scope.php @@ -2,19 +2,23 @@ namespace OAuth2; +use InvalidArgumentException; use OAuth2\Storage\Memory; use OAuth2\Storage\ScopeInterface as ScopeStorageInterface; /** -* @see OAuth2\ScopeInterface +* @see ScopeInterface */ class Scope implements ScopeInterface { protected $storage; /** - * @param mixed @storage - * Either an array of supported scopes, or an instance of OAuth2\Storage\ScopeInterface + * Constructor + * + * @param mixed $storage - Either an array of supported scopes, or an instance of OAuth2\Storage\ScopeInterface + * + * @throws InvalidArgumentException */ public function __construct($storage = null) { @@ -23,7 +27,7 @@ public function __construct($storage = null) } if (!$storage instanceof ScopeStorageInterface) { - throw new \InvalidArgumentException("Argument 1 to OAuth2\Scope must be null, an array, or instance of OAuth2\Storage\ScopeInterface"); + throw new InvalidArgumentException("Argument 1 to OAuth2\Scope must be null, an array, or instance of OAuth2\Storage\ScopeInterface"); } $this->storage = $storage; @@ -32,12 +36,10 @@ public function __construct($storage = null) /** * Check if everything in required scope is contained in available scope. * - * @param $required_scope - * A space-separated string of scopes. - * - * @return - * TRUE if everything in required scope is contained in available scope, - * and FALSE if it isn't. + * @param string $required_scope - A space-separated string of scopes. + * @param string $available_scope - A space-separated string of scopes. + * @return bool - TRUE if everything in required scope is contained in available scope and FALSE + * if it isn't. * * @see http://tools.ietf.org/html/rfc6749#section-7 * @@ -54,11 +56,8 @@ public function checkScope($required_scope, $available_scope) /** * Check if the provided scope exists in storage. * - * @param $scope - * A space-separated string of scopes. - * - * @return - * TRUE if it exists, FALSE otherwise. + * @param string $scope - A space-separated string of scopes. + * @return bool - TRUE if it exists, FALSE otherwise. */ public function scopeExists($scope) { @@ -76,12 +75,20 @@ public function scopeExists($scope) } } + /** + * @param RequestInterface $request + * @return string + */ public function getScopeFromRequest(RequestInterface $request) { // "scope" is valid if passed in either POST or QUERY return $request->request('scope', $request->query('scope')); } + /** + * @param null $client_id + * @return mixed + */ public function getDefaultScope($client_id = null) { return $this->storage->getDefaultScope($client_id); @@ -93,8 +100,7 @@ public function getDefaultScope($client_id = null) * In case OpenID Connect is used, these scopes must include: * 'openid', offline_access'. * - * @return - * An array of reserved scopes. + * @return array - An array of reserved scopes. */ public function getReservedScopes() { diff --git a/src/OAuth2/ScopeInterface.php b/src/OAuth2/ScopeInterface.php index 5b60f9aee..f65cfa7bd 100644 --- a/src/OAuth2/ScopeInterface.php +++ b/src/OAuth2/ScopeInterface.php @@ -7,19 +7,17 @@ /** * Class to handle scope implementation logic * - * @see OAuth2\Storage\ScopeInterface + * @see \OAuth2\Storage\ScopeInterface */ interface ScopeInterface extends ScopeStorageInterface { /** * Check if everything in required scope is contained in available scope. * - * @param $required_scope - * A space-separated string of scopes. - * - * @return - * TRUE if everything in required scope is contained in available scope, - * and FALSE if it isn't. + * @param string $required_scope - A space-separated string of scopes. + * @param string $available_scope - A space-separated string of scopes. + * @return boolean - TRUE if everything in required scope is contained in available scope and FALSE + * if it isn't. * * @see http://tools.ietf.org/html/rfc6749#section-7 * @@ -30,11 +28,8 @@ public function checkScope($required_scope, $available_scope); /** * Return scope info from request * - * @param OAuth2\RequestInterface - * Request object to check - * - * @return - * string representation of requested scope + * @param RequestInterface $request - Request object to check + * @return string - representation of requested scope */ public function getScopeFromRequest(RequestInterface $request); } diff --git a/src/OAuth2/Server.php b/src/OAuth2/Server.php index 9cfcb83a5..62ae8970d 100644 --- a/src/OAuth2/Server.php +++ b/src/OAuth2/Server.php @@ -30,25 +30,28 @@ use OAuth2\GrantType\ClientCredentials; use OAuth2\GrantType\RefreshToken; use OAuth2\GrantType\AuthorizationCode; +use OAuth2\Storage\ClientCredentialsInterface; +use OAuth2\Storage\ClientInterface; use OAuth2\Storage\JwtAccessToken as JwtAccessTokenStorage; use OAuth2\Storage\JwtAccessTokenInterface; +use InvalidArgumentException; +use LogicException; /** * Server class for OAuth2 * This class serves as a convience class which wraps the other Controller classes * -* @see OAuth2\Controller\ResourceController -* @see OAuth2\Controller\AuthorizeController -* @see OAuth2\Controller\TokenController +* @see \OAuth2\Controller\ResourceController +* @see \OAuth2\Controller\AuthorizeController +* @see \OAuth2\Controller\TokenController */ class Server implements ResourceControllerInterface, AuthorizeControllerInterface, TokenControllerInterface, UserInfoControllerInterface { - // misc properties /** - * @var Response + * @var ResponseInterface */ protected $response; @@ -62,7 +65,6 @@ class Server implements ResourceControllerInterface, */ protected $storages; - // servers /** * @var AuthorizeControllerInterface */ @@ -83,17 +85,34 @@ class Server implements ResourceControllerInterface, */ protected $userInfoController; - // config classes - protected $grantTypes; - protected $responseTypes; + /** + * @var array + */ + protected $grantTypes = []; + + /** + * @var array + */ + protected $responseTypes = []; + + /** + * @var TokenTypeInterface + */ protected $tokenType; /** * @var ScopeInterface */ protected $scopeUtil; + + /** + * @var ClientAssertionTypeInterface + */ protected $clientAssertionType; + /** + * @var array + */ protected $storageMap = array( 'access_token' => 'OAuth2\Storage\AccessTokenInterface', 'authorization_code' => 'OAuth2\Storage\AuthorizationCodeInterface', @@ -107,6 +126,9 @@ class Server implements ResourceControllerInterface, 'scope' => 'OAuth2\Storage\ScopeInterface', ); + /** + * @var array + */ protected $responseTypeMap = array( 'token' => 'OAuth2\ResponseType\AccessTokenInterface', 'code' => 'OAuth2\ResponseType\AuthorizationCodeInterface', @@ -116,15 +138,15 @@ class Server implements ResourceControllerInterface, ); /** - * @param mixed $storage (array or OAuth2\Storage) - single object or array of objects implementing the - * required storage types (ClientCredentialsInterface and AccessTokenInterface as a minimum) - * @param array $config specify a different token lifetime, token header name, etc - * @param array $grantTypes An array of OAuth2\GrantType\GrantTypeInterface to use for granting access tokens - * @param array $responseTypes Response types to use. array keys should be "code" and and "token" for - * Access Token and Authorization Code response types - * @param \OAuth2\TokenType\TokenTypeInterface $tokenType The token type object to use. Valid token types are "bearer" and "mac" - * @param \OAuth2\ScopeInterface $scopeUtil The scope utility class to use to validate scope - * @param \OAuth2\ClientAssertionType\ClientAssertionTypeInterface $clientAssertionType The method in which to verify the client identity. Default is HttpBasic + * @param mixed $storage (array or OAuth2\Storage) - single object or array of objects implementing the + * required storage types (ClientCredentialsInterface and AccessTokenInterface as a minimum) + * @param array $config specify a different token lifetime, token header name, etc + * @param array $grantTypes An array of OAuth2\GrantType\GrantTypeInterface to use for granting access tokens + * @param array $responseTypes Response types to use. array keys should be "code" and "token" for + * Access Token and Authorization Code response types + * @param TokenTypeInterface $tokenType The token type object to use. Valid token types are "bearer" and "mac" + * @param ScopeInterface $scopeUtil The scope utility class to use to validate scope + * @param ClientAssertionTypeInterface $clientAssertionType The method in which to verify the client identity. Default is HttpBasic * * @ingroup oauth2_section_7 */ @@ -172,6 +194,9 @@ public function __construct($storage = array(), array $config = array(), array $ } } + /** + * @return AuthorizeControllerInterface + */ public function getAuthorizeController() { if (is_null($this->authorizeController)) { @@ -181,6 +206,9 @@ public function getAuthorizeController() return $this->authorizeController; } + /** + * @return TokenController + */ public function getTokenController() { if (is_null($this->tokenController)) { @@ -190,6 +218,9 @@ public function getTokenController() return $this->tokenController; } + /** + * @return ResourceControllerInterface + */ public function getResourceController() { if (is_null($this->resourceController)) { @@ -199,6 +230,9 @@ public function getResourceController() return $this->resourceController; } + /** + * @return UserInfoControllerInterface + */ public function getUserInfoController() { if (is_null($this->userInfoController)) { @@ -209,8 +243,6 @@ public function getUserInfoController() } /** - * every getter deserves a setter - * * @param AuthorizeControllerInterface $authorizeController */ public function setAuthorizeController(AuthorizeControllerInterface $authorizeController) @@ -219,8 +251,6 @@ public function setAuthorizeController(AuthorizeControllerInterface $authorizeCo } /** - * every getter deserves a setter - * * @param TokenControllerInterface $tokenController */ public function setTokenController(TokenControllerInterface $tokenController) @@ -229,8 +259,6 @@ public function setTokenController(TokenControllerInterface $tokenController) } /** - * every getter deserves a setter - * * @param ResourceControllerInterface $resourceController */ public function setResourceController(ResourceControllerInterface $resourceController) @@ -239,8 +267,6 @@ public function setResourceController(ResourceControllerInterface $resourceContr } /** - * every getter deserves a setter - * * @param UserInfoControllerInterface $userInfoController */ public function setUserInfoController(UserInfoControllerInterface $userInfoController) @@ -252,12 +278,8 @@ public function setUserInfoController(UserInfoControllerInterface $userInfoContr * Return claims about the authenticated end-user. * This would be called from the "/UserInfo" endpoint as defined in the spec. * - * @param $request - \OAuth2\RequestInterface - * Request object to grant access token - * - * @param $response - \OAuth2\ResponseInterface - * Response object containing error messages (failure) or user claims (success) - * + * @param RequestInterface $request - Request object to grant access token + * @param ResponseInterface $response - Response object containing error messages (failure) or user claims (success) * @return ResponseInterface * * @throws \InvalidArgumentException @@ -278,12 +300,8 @@ public function handleUserInfoRequest(RequestInterface $request, ResponseInterfa * This would be called from the "/token" endpoint as defined in the spec. * Obviously, you can call your endpoint whatever you want. * - * @param $request - \OAuth2\RequestInterface - * Request object to grant access token - * - * @param $response - \OAuth2\ResponseInterface - * Response object containing error messages (failure) or access token (success) - * + * @param RequestInterface $request - Request object to grant access token + * @param ResponseInterface $response - Response object containing error messages (failure) or access token (success) * @return ResponseInterface * * @throws \InvalidArgumentException @@ -303,6 +321,11 @@ public function handleTokenRequest(RequestInterface $request, ResponseInterface return $this->response; } + /** + * @param RequestInterface $request - Request object to grant access token + * @param ResponseInterface $response - Response object + * @return mixed + */ public function grantAccessToken(RequestInterface $request, ResponseInterface $response = null) { $this->response = is_null($response) ? new Response() : $response; @@ -336,25 +359,18 @@ public function handleRevokeRequest(RequestInterface $request, ResponseInterface * authorization server should call this function to redirect the user * appropriately. * - * @param $request - * The request should have the follow parameters set in the querystring: - * - response_type: The requested response: an access token, an - * authorization code, or both. + * @param RequestInterface $request - The request should have the follow parameters set in the querystring: + * - response_type: The requested response: an access token, an authorization code, or both. * - client_id: The client identifier as described in Section 2. - * - redirect_uri: An absolute URI to which the authorization server - * will redirect the user-agent to when the end-user authorization - * step is completed. - * - scope: (optional) The scope of the resource request expressed as a - * list of space-delimited strings. - * - state: (optional) An opaque value used by the client to maintain - * state between the request and callback. - * @param ResponseInterface $response - * @param $is_authorized - * TRUE or FALSE depending on whether the user authorized the access. - * @param $user_id - * Identifier of user who authorized the client + * - redirect_uri: An absolute URI to which the authorization server will redirect the user-agent to when the + * end-user authorization step is completed. + * - scope: (optional) The scope of the resource request expressed as a list of space-delimited strings. + * - state: (optional) An opaque value used by the client to maintain state between the request and callback. * - * @return Response + * @param ResponseInterface $response - Response object + * @param bool $is_authorized - TRUE or FALSE depending on whether the user authorized the access. + * @param mixed $user_id - Identifier of user who authorized the client + * @return ResponseInterface * * @see http://tools.ietf.org/html/rfc6749#section-4 * @@ -371,14 +387,17 @@ public function handleAuthorizeRequest(RequestInterface $request, ResponseInterf /** * Pull the authorization request data out of the HTTP request. * - The redirect_uri is OPTIONAL as per draft 20. But your implementation can enforce it - * by setting $config['enforce_redirect'] to true. + * by setting $config['enforce_redirect'] to true. * - The state is OPTIONAL but recommended to enforce CSRF. Draft 21 states, however, that - * CSRF protection is MANDATORY. You can enforce this by setting the $config['enforce_state'] to true. + * CSRF protection is MANDATORY. You can enforce this by setting the $config['enforce_state'] to true. * * The draft specifies that the parameters should be retrieved from GET, override the Response * object to change this * - * @return + * @param RequestInterface $request - Request object + * @param ResponseInterface $response - Response object + * @return bool + * * The authorization parameters so the authorization server can prompt * the user for approval if valid. * @@ -395,6 +414,12 @@ public function validateAuthorizeRequest(RequestInterface $request, ResponseInte return $value; } + /** + * @param RequestInterface $request - Request object + * @param ResponseInterface $response - Response object + * @param string $scope - Scope + * @return mixed + */ public function verifyResourceRequest(RequestInterface $request, ResponseInterface $response = null, $scope = null) { $this->response = is_null($response) ? new Response() : $response; @@ -403,6 +428,11 @@ public function verifyResourceRequest(RequestInterface $request, ResponseInterfa return $value; } + /** + * @param RequestInterface $request - Request object + * @param ResponseInterface $response - Response object + * @return mixed + */ public function getAccessTokenData(RequestInterface $request, ResponseInterface $response = null) { $this->response = is_null($response) ? new Response() : $response; @@ -411,10 +441,14 @@ public function getAccessTokenData(RequestInterface $request, ResponseInterface return $value; } + /** + * @param GrantTypeInterface $grantType + * @param mixed $identifier + */ public function addGrantType(GrantTypeInterface $grantType, $identifier = null) { if (!is_string($identifier)) { - $identifier = $grantType->getQuerystringIdentifier(); + $identifier = $grantType->getQueryStringIdentifier(); } $this->grantTypes[$identifier] = $grantType; @@ -428,11 +462,10 @@ public function addGrantType(GrantTypeInterface $grantType, $identifier = null) /** * Set a storage object for the server * - * @param $storage - * An object implementing one of the Storage interfaces - * @param $key - * If null, the storage is set to the key of each storage interface it implements + * @param object $storage - An object implementing one of the Storage interfaces + * @param mixed $key - If null, the storage is set to the key of each storage interface it implements * + * @throws InvalidArgumentException * @see storageMap */ public function addStorage($storage, $key = null) @@ -446,11 +479,11 @@ public function addStorage($storage, $key = null) // special logic to handle "client" and "client_credentials" strangeness if ($key === 'client' && !isset($this->storages['client_credentials'])) { - if ($storage instanceof \OAuth2\Storage\ClientCredentialsInterface) { + if ($storage instanceof ClientCredentialsInterface) { $this->storages['client_credentials'] = $storage; } } elseif ($key === 'client_credentials' && !isset($this->storages['client'])) { - if ($storage instanceof \OAuth2\Storage\ClientInterface) { + if ($storage instanceof ClientInterface) { $this->storages['client'] = $storage; } } @@ -471,6 +504,12 @@ public function addStorage($storage, $key = null) } } + /** + * @param ResponseTypeInterface $responseType + * @param mixed $key + * + * @throws InvalidArgumentException + */ public function addResponseType(ResponseTypeInterface $responseType, $key = null) { $key = $this->normalizeResponseType($key); @@ -497,6 +536,9 @@ public function addResponseType(ResponseTypeInterface $responseType, $key = null } } + /** + * @return ScopeInterface + */ public function getScopeUtil() { if (!$this->scopeUtil) { @@ -508,8 +550,6 @@ public function getScopeUtil() } /** - * every getter deserves a setter - * * @param ScopeInterface $scopeUtil */ public function setScopeUtil($scopeUtil) @@ -517,6 +557,10 @@ public function setScopeUtil($scopeUtil) $this->scopeUtil = $scopeUtil; } + /** + * @return AuthorizeControllerInterface + * @throws LogicException + */ protected function createDefaultAuthorizeController() { if (!isset($this->storages['client'])) { @@ -541,6 +585,10 @@ protected function createDefaultAuthorizeController() return new AuthorizeController($this->storages['client'], $this->responseTypes, $config, $this->getScopeUtil()); } + /** + * @return TokenControllerInterface + * @throws LogicException + */ protected function createDefaultTokenController() { if (0 == count($this->grantTypes)) { @@ -562,7 +610,7 @@ protected function createDefaultTokenController() } if (!isset($this->storages['client'])) { - throw new \LogicException('You must supply a storage object implementing OAuth2\Storage\ClientInterface to use the token server'); + throw new LogicException("You must supply a storage object implementing OAuth2\Storage\ClientInterface to use the token server"); } $accessTokenResponseType = $this->getAccessTokenResponseType(); @@ -570,6 +618,10 @@ protected function createDefaultTokenController() return new TokenController($accessTokenResponseType, $this->storages['client'], $this->grantTypes, $this->clientAssertionType, $this->getScopeUtil()); } + /** + * @return ResourceControllerInterface + * @throws LogicException + */ protected function createDefaultResourceController() { if ($this->config['use_jwt_access_tokens']) { @@ -590,6 +642,10 @@ protected function createDefaultResourceController() return new ResourceController($this->tokenType, $this->storages['access_token'], $config, $this->getScopeUtil()); } + /** + * @return UserInfoControllerInterface + * @throws LogicException + */ protected function createDefaultUserInfoController() { if ($this->config['use_jwt_access_tokens']) { @@ -614,6 +670,9 @@ protected function createDefaultUserInfoController() return new UserInfoController($this->tokenType, $this->storages['access_token'], $this->storages['user_claims'], $config, $this->getScopeUtil()); } + /** + * @return Bearer + */ protected function getDefaultTokenType() { $config = array_intersect_key($this->config, array_flip(explode(' ', 'token_param_name token_bearer_header_name'))); @@ -621,6 +680,10 @@ protected function getDefaultTokenType() return new Bearer($config); } + /** + * @return array + * @throws LogicException + */ protected function getDefaultResponseTypes() { $responseTypes = array(); @@ -656,6 +719,10 @@ protected function getDefaultResponseTypes() return $responseTypes; } + /** + * @return array + * @throws LogicException + */ protected function getDefaultGrantTypes() { $grantTypes = array(); @@ -692,6 +759,9 @@ protected function getDefaultGrantTypes() return $grantTypes; } + /** + * @return AccessToken + */ protected function getAccessTokenResponseType() { if (isset($this->responseTypes['token'])) { @@ -705,6 +775,9 @@ protected function getAccessTokenResponseType() return $this->createDefaultAccessTokenResponseType(); } + /** + * @return IdToken + */ protected function getIdTokenResponseType() { if (isset($this->responseTypes['id_token'])) { @@ -714,6 +787,9 @@ protected function getIdTokenResponseType() return $this->createDefaultIdTokenResponseType(); } + /** + * @return IdTokenToken + */ protected function getIdTokenTokenResponseType() { if (isset($this->responseTypes['id_token token'])) { @@ -725,6 +801,9 @@ protected function getIdTokenTokenResponseType() /** * For Resource Controller + * + * @return JwtAccessTokenStorage + * @throws LogicException */ protected function createDefaultJwtAccessTokenStorage() { @@ -741,6 +820,9 @@ protected function createDefaultJwtAccessTokenStorage() /** * For Authorize and Token Controllers + * + * @return JwtAccessToken + * @throws LogicException */ protected function createDefaultJwtAccessTokenResponseType() { @@ -763,10 +845,14 @@ protected function createDefaultJwtAccessTokenResponseType() return new JwtAccessToken($this->storages['public_key'], $tokenStorage, $refreshStorage, $config); } + /** + * @return AccessToken + * @throws LogicException + */ protected function createDefaultAccessTokenResponseType() { if (!isset($this->storages['access_token'])) { - throw new \LogicException('You must supply a response type implementing OAuth2\ResponseType\AccessTokenInterface, or a storage object implementing OAuth2\Storage\AccessTokenInterface to use the token server'); + throw new LogicException("You must supply a response type implementing OAuth2\ResponseType\AccessTokenInterface, or a storage object implementing OAuth2\Storage\AccessTokenInterface to use the token server"); } $refreshStorage = null; @@ -780,13 +866,17 @@ protected function createDefaultAccessTokenResponseType() return new AccessToken($this->storages['access_token'], $refreshStorage, $config); } + /** + * @return IdToken + * @throws LogicException + */ protected function createDefaultIdTokenResponseType() { if (!isset($this->storages['user_claims'])) { - throw new \LogicException('You must supply a storage object implementing OAuth2\OpenID\Storage\UserClaimsInterface to use openid connect'); + throw new LogicException("You must supply a storage object implementing OAuth2\OpenID\Storage\UserClaimsInterface to use openid connect"); } if (!isset($this->storages['public_key'])) { - throw new \LogicException('You must supply a storage object implementing OAuth2\Storage\PublicKeyInterface to use openid connect'); + throw new LogicException("You must supply a storage object implementing OAuth2\Storage\PublicKeyInterface to use openid connect"); } $config = array_intersect_key($this->config, array_flip(explode(' ', 'issuer id_lifetime'))); @@ -794,11 +884,17 @@ protected function createDefaultIdTokenResponseType() return new IdToken($this->storages['user_claims'], $this->storages['public_key'], $config); } + /** + * @return IdTokenToken + */ protected function createDefaultIdTokenTokenResponseType() { return new IdTokenToken($this->getAccessTokenResponseType(), $this->getIdTokenResponseType()); } + /** + * @throws InvalidArgumentException + */ protected function validateOpenIdConnect() { $authCodeGrant = $this->getGrantType('authorization_code'); @@ -807,6 +903,10 @@ protected function validateOpenIdConnect() } } + /** + * @param string $name + * @return string + */ protected function normalizeResponseType($name) { // for multiple-valued response types - make them alphabetical @@ -819,36 +919,60 @@ protected function normalizeResponseType($name) return $name; } + /** + * @return mixed + */ public function getResponse() { return $this->response; } + /** + * @return array + */ public function getStorages() { return $this->storages; } + /** + * @param string $name + * @return object|null + */ public function getStorage($name) { return isset($this->storages[$name]) ? $this->storages[$name] : null; } + /** + * @return array + */ public function getGrantTypes() { return $this->grantTypes; } + /** + * @param string $name + * @return object|null + */ public function getGrantType($name) { return isset($this->grantTypes[$name]) ? $this->grantTypes[$name] : null; } + /** + * @return array + */ public function getResponseTypes() { return $this->responseTypes; } + /** + * @param string $name + * @return object|null + */ public function getResponseType($name) { // for multiple-valued response types - make them alphabetical @@ -857,23 +981,38 @@ public function getResponseType($name) return isset($this->responseTypes[$name]) ? $this->responseTypes[$name] : null; } + /** + * @return TokenTypeInterface + */ public function getTokenType() { return $this->tokenType; } + /** + * @return ClientAssertionTypeInterface + */ public function getClientAssertionType() { return $this->clientAssertionType; } + /** + * @param string $name + * @param mixed $value + */ public function setConfig($name, $value) { $this->config[$name] = $value; } + /** + * @param string $name + * @param mixed $default + * @return mixed + */ public function getConfig($name, $default = null) { return isset($this->config[$name]) ? $this->config[$name] : $default; } -} +} \ No newline at end of file diff --git a/src/OAuth2/Storage/AccessTokenInterface.php b/src/OAuth2/Storage/AccessTokenInterface.php index 1819158af..22428f2c8 100644 --- a/src/OAuth2/Storage/AccessTokenInterface.php +++ b/src/OAuth2/Storage/AccessTokenInterface.php @@ -15,17 +15,18 @@ interface AccessTokenInterface * * We need to retrieve access token data as we create and verify tokens. * - * @param $oauth_token - * oauth_token to be check with. + * @param string $oauth_token - oauth_token to be check with. * - * @return - * An associative array as below, and return NULL if the supplied oauth_token - * is invalid: - * - expires: Stored expiration in unix timestamp. - * - client_id: (optional) Stored client identifier. - * - user_id: (optional) Stored user identifier. - * - scope: (optional) Stored scope values in space-separated string. - * - id_token: (optional) Stored id_token (if "use_openid_connect" is true). + * @return array|null - An associative array as below, and return NULL if the supplied oauth_token is invalid: + * @code + * array( + * 'expires' => $expires, // Stored expiration in unix timestamp. + * 'client_id' => $client_id, // (optional) Stored client identifier. + * 'user_id' => $user_id, // (optional) Stored user identifier. + * 'scope' => $scope, // (optional) Stored scope values in space-separated string. + * 'id_token' => $id_token // (optional) Stored id_token (if "use_openid_connect" is true). + * ); + * @endcode * * @ingroup oauth2_section_7 */ @@ -36,11 +37,11 @@ public function getAccessToken($oauth_token); * * We need to store access token data as we create and verify tokens. * - * @param $oauth_token oauth_token to be stored. - * @param $client_id client identifier to be stored. - * @param $user_id user identifier to be stored. - * @param int $expires expiration to be stored as a Unix timestamp. - * @param string $scope OPTIONAL Scopes to be stored in space-separated string. + * @param string $oauth_token - oauth_token to be stored. + * @param mixed $client_id - client identifier to be stored. + * @param mixed $user_id - user identifier to be stored. + * @param int $expires - expiration to be stored as a Unix timestamp. + * @param string $scope - OPTIONAL Scopes to be stored in space-separated string. * * @ingroup oauth2_section_4 */ @@ -61,4 +62,4 @@ public function setAccessToken($oauth_token, $client_id, $user_id, $expires, $sc * @todo v2.0 include this method in interface. Omitted to maintain BC in v1.x */ //public function unsetAccessToken($access_token); -} +} \ No newline at end of file diff --git a/src/OAuth2/Storage/AuthorizationCodeInterface.php b/src/OAuth2/Storage/AuthorizationCodeInterface.php index edc7c70e5..2dbc138ac 100644 --- a/src/OAuth2/Storage/AuthorizationCodeInterface.php +++ b/src/OAuth2/Storage/AuthorizationCodeInterface.php @@ -59,12 +59,12 @@ public function getAuthorizationCode($code); * * Required for OAuth2::GRANT_TYPE_AUTH_CODE. * - * @param string $code Authorization code to be stored. - * @param mixed $client_id Client identifier to be stored. - * @param mixed $user_id User identifier to be stored. - * @param string $redirect_uri Redirect URI(s) to be stored in a space-separated string. - * @param int $expires Expiration to be stored as a Unix timestamp. - * @param string $scope OPTIONAL Scopes to be stored in space-separated string. + * @param string $code - Authorization code to be stored. + * @param mixed $client_id - Client identifier to be stored. + * @param mixed $user_id - User identifier to be stored. + * @param string $redirect_uri - Redirect URI(s) to be stored in a space-separated string. + * @param int $expires - Expiration to be stored as a Unix timestamp. + * @param string $scope - OPTIONAL Scopes to be stored in space-separated string. * * @ingroup oauth2_section_4 */ diff --git a/src/OAuth2/Storage/Cassandra.php b/src/OAuth2/Storage/Cassandra.php index c5048c08d..e60e9d3ad 100644 --- a/src/OAuth2/Storage/Cassandra.php +++ b/src/OAuth2/Storage/Cassandra.php @@ -7,24 +7,25 @@ use phpcassa\Connection\ConnectionPool; use OAuth2\OpenID\Storage\UserClaimsInterface; use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface; +use InvalidArgumentException; /** * Cassandra storage for all storage types * - * To use, install "thobbs/phpcassa" via composer + * To use, install "thobbs/phpcassa" via composer: * - * composer require thobbs/phpcassa:dev-master + * composer require thobbs/phpcassa:dev-master * * - * Once this is done, instantiate the + * Once this is done, instantiate the connection: * - * $cassandra = new \phpcassa\Connection\ConnectionPool('oauth2_server', array('127.0.0.1:9160')); + * $cassandra = new \phpcassa\Connection\ConnectionPool('oauth2_server', array('127.0.0.1:9160')); * * * Then, register the storage client: * - * $storage = new OAuth2\Storage\Cassandra($cassandra); - * $storage->setClientDetails($client_id, $client_secret, $redirect_uri); + * $storage = new OAuth2\Storage\Cassandra($cassandra); + * $storage->setClientDetails($client_id, $client_secret, $redirect_uri); * * * @see test/lib/OAuth2/Storage/Bootstrap::getCassandraStorage @@ -43,17 +44,23 @@ class Cassandra implements AuthorizationCodeInterface, private $cache; - /* The cassandra client */ + /** + * @var ConnectionPool + */ protected $cassandra; - /* Configuration array */ + /** + * @var array + */ protected $config; /** * Cassandra Storage! uses phpCassa * - * @param \phpcassa\ConnectionPool $cassandra - * @param array $config + * @param ConnectionPool|array $connection + * @param array $config + * + * @throws InvalidArgumentException */ public function __construct($connection = array(), array $config = array()) { @@ -61,7 +68,7 @@ public function __construct($connection = array(), array $config = array()) $this->cassandra = $connection; } else { if (!is_array($connection)) { - throw new \InvalidArgumentException('First argument to OAuth2\Storage\Cassandra must be an instance of phpcassa\Connection\ConnectionPool or a configuration array'); + throw new InvalidArgumentException('First argument to OAuth2\Storage\Cassandra must be an instance of phpcassa\Connection\ConnectionPool or a configuration array'); } $connection = array_merge(array( 'keyspace' => 'oauth2', @@ -87,6 +94,10 @@ public function __construct($connection = array(), array $config = array()) ), $config); } + /** + * @param $key + * @return bool|mixed + */ protected function getValue($key) { if (isset($this->cache[$key])) { @@ -104,6 +115,12 @@ protected function getValue($key) return json_decode($value, true); } + /** + * @param $key + * @param $value + * @param int $expire + * @return bool + */ protected function setValue($key, $value, $expire = 0) { $this->cache[$key] = $value; @@ -131,6 +148,10 @@ protected function setValue($key, $value, $expire = 0) return true; } + /** + * @param $key + * @return bool + */ protected function expireValue($key) { unset($this->cache[$key]); @@ -151,12 +172,25 @@ protected function expireValue($key) return false; } - /* AuthorizationCodeInterface */ + /** + * @param string $code + * @return bool|mixed + */ public function getAuthorizationCode($code) { return $this->getValue($this->config['code_key'] . $code); } + /** + * @param string $authorization_code + * @param mixed $client_id + * @param mixed $user_id + * @param string $redirect_uri + * @param int $expires + * @param string $scope + * @param string $id_token + * @return bool + */ public function setAuthorizationCode($authorization_code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null) { return $this->setValue( @@ -166,6 +200,10 @@ public function setAuthorizationCode($authorization_code, $client_id, $user_id, ); } + /** + * @param string $code + * @return bool + */ public function expireAuthorizationCode($code) { $key = $this->config['code_key'] . $code; @@ -174,7 +212,11 @@ public function expireAuthorizationCode($code) return $this->expireValue($key); } - /* UserCredentialsInterface */ + /** + * @param string $username + * @param string $password + * @return bool + */ public function checkUserCredentials($username, $password) { if ($user = $this->getUser($username)) { @@ -184,7 +226,13 @@ public function checkUserCredentials($username, $password) return false; } - // plaintext passwords are bad! Override this for your application + /** + * plaintext passwords are bad! Override this for your application + * + * @param array $user + * @param string $password + * @return bool + */ protected function checkPassword($user, $password) { return $user['password'] == $this->hashPassword($password); @@ -196,11 +244,19 @@ protected function hashPassword($password) return sha1($password); } + /** + * @param string $username + * @return array|bool|false + */ public function getUserDetails($username) { return $this->getUser($username); } + /** + * @param string $username + * @return array|bool + */ public function getUser($username) { if (!$userInfo = $this->getValue($this->config['user_key'] . $username)) { @@ -213,6 +269,13 @@ public function getUser($username) ), $userInfo); } + /** + * @param string $username + * @param string $password + * @param string $first_name + * @param string $last_name + * @return bool + */ public function setUser($username, $password, $first_name = null, $last_name = null) { $password = $this->hashPassword($password); @@ -223,7 +286,11 @@ public function setUser($username, $password, $first_name = null, $last_name = n ); } - /* ClientCredentialsInterface */ + /** + * @param mixed $client_id + * @param string $client_secret + * @return bool + */ public function checkClientCredentials($client_id, $client_secret = null) { if (!$client = $this->getClientDetails($client_id)) { @@ -234,6 +301,10 @@ public function checkClientCredentials($client_id, $client_secret = null) && $client['client_secret'] == $client_secret; } + /** + * @param $client_id + * @return bool + */ public function isPublicClient($client_id) { if (!$client = $this->getClientDetails($client_id)) { @@ -243,12 +314,24 @@ public function isPublicClient($client_id) return empty($client['client_secret']); } - /* ClientInterface */ + /** + * @param $client_id + * @return array|bool|mixed + */ public function getClientDetails($client_id) { return $this->getValue($this->config['client_key'] . $client_id); } + /** + * @param $client_id + * @param null $client_secret + * @param null $redirect_uri + * @param null $grant_types + * @param null $scope + * @param null $user_id + * @return bool + */ public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null) { return $this->setValue( @@ -257,6 +340,11 @@ public function setClientDetails($client_id, $client_secret = null, $redirect_ur ); } + /** + * @param $client_id + * @param $grant_type + * @return bool + */ public function checkRestrictedGrantType($client_id, $grant_type) { $details = $this->getClientDetails($client_id); @@ -270,12 +358,23 @@ public function checkRestrictedGrantType($client_id, $grant_type) return true; } - /* RefreshTokenInterface */ + /** + * @param $refresh_token + * @return bool|mixed + */ public function getRefreshToken($refresh_token) { return $this->getValue($this->config['refresh_token_key'] . $refresh_token); } + /** + * @param $refresh_token + * @param $client_id + * @param $user_id + * @param $expires + * @param null $scope + * @return bool + */ public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null) { return $this->setValue( @@ -285,17 +384,32 @@ public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, ); } + /** + * @param $refresh_token + * @return bool + */ public function unsetRefreshToken($refresh_token) { return $this->expireValue($this->config['refresh_token_key'] . $refresh_token); } - /* AccessTokenInterface */ + /** + * @param string $access_token + * @return array|bool|mixed|null + */ public function getAccessToken($access_token) { return $this->getValue($this->config['access_token_key'].$access_token); } + /** + * @param string $access_token + * @param mixed $client_id + * @param mixed $user_id + * @param int $expires + * @param null $scope + * @return bool + */ public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null) { return $this->setValue( @@ -305,12 +419,19 @@ public function setAccessToken($access_token, $client_id, $user_id, $expires, $s ); } + /** + * @param $access_token + * @return bool + */ public function unsetAccessToken($access_token) { return $this->expireValue($this->config['access_token_key'] . $access_token); } - /* ScopeInterface */ + /** + * @param $scope + * @return bool + */ public function scopeExists($scope) { $scope = explode(' ', $scope); @@ -322,6 +443,10 @@ public function scopeExists($scope) return (count(array_diff($scope, $supportedScope)) == 0); } + /** + * @param null $client_id + * @return bool|mixed + */ public function getDefaultScope($client_id = null) { if (is_null($client_id) || !$result = $this->getValue($this->config['scope_key'].'default:'.$client_id)) { @@ -331,6 +456,13 @@ public function getDefaultScope($client_id = null) return $result; } + /** + * @param $scope + * @param null $client_id + * @param string $type + * @return bool + * @throws \InvalidArgumentException + */ public function setScope($scope, $client_id = null, $type = 'supported') { if (!in_array($type, array('default', 'supported'))) { @@ -346,7 +478,11 @@ public function setScope($scope, $client_id = null, $type = 'supported') return $this->setValue($key, $scope); } - /*JWTBearerInterface */ + /** + * @param $client_id + * @param $subject + * @return bool|null + */ public function getClientKey($client_id, $subject) { if (!$jwt = $this->getValue($this->config['jwt_key'] . $client_id)) { @@ -360,6 +496,12 @@ public function getClientKey($client_id, $subject) return null; } + /** + * @param $client_id + * @param $key + * @param null $subject + * @return bool + */ public function setClientKey($client_id, $key, $subject = null) { return $this->setValue($this->config['jwt_key'] . $client_id, array( @@ -368,7 +510,10 @@ public function setClientKey($client_id, $key, $subject = null) )); } - /*ScopeInterface */ + /** + * @param $client_id + * @return bool|null + */ public function getClientScope($client_id) { if (!$clientDetails = $this->getClientDetails($client_id)) { @@ -382,19 +527,38 @@ public function getClientScope($client_id) return null; } + /** + * @param $client_id + * @param $subject + * @param $audience + * @param $expiration + * @param $jti + * @throws \Exception + */ public function getJti($client_id, $subject, $audience, $expiration, $jti) { //TODO: Needs cassandra implementation. throw new \Exception('getJti() for the Cassandra driver is currently unimplemented.'); } + /** + * @param $client_id + * @param $subject + * @param $audience + * @param $expiration + * @param $jti + * @throws \Exception + */ public function setJti($client_id, $subject, $audience, $expiration, $jti) { //TODO: Needs cassandra implementation. throw new \Exception('setJti() for the Cassandra driver is currently unimplemented.'); } - /* PublicKeyInterface */ + /** + * @param string $client_id + * @return mixed + */ public function getPublicKey($client_id = '') { $public_key = $this->getValue($this->config['public_key_key'] . $client_id); @@ -407,6 +571,10 @@ public function getPublicKey($client_id = '') } } + /** + * @param string $client_id + * @return mixed + */ public function getPrivateKey($client_id = '') { $public_key = $this->getValue($this->config['public_key_key'] . $client_id); @@ -419,6 +587,10 @@ public function getPrivateKey($client_id = '') } } + /** + * @param null $client_id + * @return mixed|string + */ public function getEncryptionAlgorithm($client_id = null) { $public_key = $this->getValue($this->config['public_key_key'] . $client_id); @@ -433,7 +605,11 @@ public function getEncryptionAlgorithm($client_id = null) return 'RS256'; } - /* UserClaimsInterface */ + /** + * @param mixed $user_id + * @param string $claims + * @return array|bool + */ public function getUserClaims($user_id, $claims) { $userDetails = $this->getUserDetails($user_id); @@ -460,6 +636,11 @@ public function getUserClaims($user_id, $claims) return $userClaims; } + /** + * @param $claim + * @param $userDetails + * @return array + */ protected function getUserClaim($claim, $userDetails) { $userClaims = array(); @@ -476,5 +657,4 @@ protected function getUserClaim($claim, $userDetails) return $userClaims; } - -} +} \ No newline at end of file diff --git a/src/OAuth2/Storage/CouchbaseDB.php b/src/OAuth2/Storage/CouchbaseDB.php index 1eb55f027..9e8148b6b 100755 --- a/src/OAuth2/Storage/CouchbaseDB.php +++ b/src/OAuth2/Storage/CouchbaseDB.php @@ -328,4 +328,4 @@ public function setJti($client_id, $subject, $audience, $expiration, $jti) //TODO: Needs couchbase implementation. throw new \Exception('setJti() for the Couchbase driver is currently unimplemented.'); } -} +} \ No newline at end of file diff --git a/src/OAuth2/Storage/DynamoDB.php b/src/OAuth2/Storage/DynamoDB.php index 8347ab258..a54cb3712 100644 --- a/src/OAuth2/Storage/DynamoDB.php +++ b/src/OAuth2/Storage/DynamoDB.php @@ -537,4 +537,4 @@ private static function isNotEmpty($value) { return null !== $value && '' !== $value; } -} +} \ No newline at end of file diff --git a/src/OAuth2/Storage/JwtAccessToken.php b/src/OAuth2/Storage/JwtAccessToken.php index 75b49d301..6ccacd6d9 100644 --- a/src/OAuth2/Storage/JwtAccessToken.php +++ b/src/OAuth2/Storage/JwtAccessToken.php @@ -6,7 +6,6 @@ use OAuth2\Encryption\Jwt; /** - * * @author Brent Shaffer */ class JwtAccessToken implements JwtAccessTokenInterface @@ -85,4 +84,4 @@ protected function convertJwtToOAuth2($tokenData) return $tokenData; } -} +} \ No newline at end of file diff --git a/src/OAuth2/Storage/Memory.php b/src/OAuth2/Storage/Memory.php index 42d833ccb..2c60b71ce 100644 --- a/src/OAuth2/Storage/Memory.php +++ b/src/OAuth2/Storage/Memory.php @@ -378,4 +378,4 @@ public function getEncryptionAlgorithm($client_id = null) return 'RS256'; } -} +} \ No newline at end of file diff --git a/src/OAuth2/Storage/Pdo.php b/src/OAuth2/Storage/Pdo.php index ae5107e29..074cee447 100644 --- a/src/OAuth2/Storage/Pdo.php +++ b/src/OAuth2/Storage/Pdo.php @@ -4,6 +4,7 @@ use OAuth2\OpenID\Storage\UserClaimsInterface; use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface; +use InvalidArgumentException; /** * Simple PDO storage for all storage types @@ -29,9 +30,22 @@ class Pdo implements UserClaimsInterface, OpenIDAuthorizationCodeInterface { + /** + * @var \PDO + */ protected $db; + + /** + * @var array + */ protected $config; + /** + * @param mixed $connection + * @param array $config + * + * @throws InvalidArgumentException + */ public function __construct($connection, $config = array()) { if (!$connection instanceof \PDO) { @@ -70,7 +84,11 @@ public function __construct($connection, $config = array()) ), $config); } - /* OAuth2\Storage\ClientCredentialsInterface */ + /** + * @param string $client_id + * @param null|string $client_secret + * @return bool + */ public function checkClientCredentials($client_id, $client_secret = null) { $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table'])); @@ -81,6 +99,10 @@ public function checkClientCredentials($client_id, $client_secret = null) return $result && $result['client_secret'] == $client_secret; } + /** + * @param string $client_id + * @return bool + */ public function isPublicClient($client_id) { $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table'])); @@ -93,7 +115,10 @@ public function isPublicClient($client_id) return empty($result['client_secret']); } - /* OAuth2\Storage\ClientInterface */ + /** + * @param string $client_id + * @return array|mixed + */ public function getClientDetails($client_id) { $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table'])); @@ -102,6 +127,15 @@ public function getClientDetails($client_id) return $stmt->fetch(\PDO::FETCH_ASSOC); } + /** + * @param string $client_id + * @param null|string $client_secret + * @param null|string $redirect_uri + * @param null|array $grant_types + * @param null|string $scope + * @param null|string $user_id + * @return bool + */ public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null) { // if it exists, update it. @@ -114,6 +148,11 @@ public function setClientDetails($client_id, $client_secret = null, $redirect_ur return $stmt->execute(compact('client_id', 'client_secret', 'redirect_uri', 'grant_types', 'scope', 'user_id')); } + /** + * @param $client_id + * @param $grant_type + * @return bool + */ public function checkRestrictedGrantType($client_id, $grant_type) { $details = $this->getClientDetails($client_id); @@ -127,7 +166,10 @@ public function checkRestrictedGrantType($client_id, $grant_type) return true; } - /* OAuth2\Storage\AccessTokenInterface */ + /** + * @param string $access_token + * @return array|bool|mixed|null + */ public function getAccessToken($access_token) { $stmt = $this->db->prepare(sprintf('SELECT * from %s where access_token = :access_token', $this->config['access_token_table'])); @@ -141,6 +183,14 @@ public function getAccessToken($access_token) return $token; } + /** + * @param string $access_token + * @param mixed $client_id + * @param mixed $user_id + * @param int $expires + * @param string $scope + * @return bool + */ public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null) { // convert expires to datestring @@ -156,6 +206,10 @@ public function setAccessToken($access_token, $client_id, $user_id, $expires, $s return $stmt->execute(compact('access_token', 'client_id', 'user_id', 'expires', 'scope')); } + /** + * @param $access_token + * @return bool + */ public function unsetAccessToken($access_token) { $stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE access_token = :access_token', $this->config['access_token_table'])); @@ -166,6 +220,10 @@ public function unsetAccessToken($access_token) } /* OAuth2\Storage\AuthorizationCodeInterface */ + /** + * @param string $code + * @return mixed + */ public function getAuthorizationCode($code) { $stmt = $this->db->prepare(sprintf('SELECT * from %s where authorization_code = :code', $this->config['code_table'])); @@ -179,6 +237,16 @@ public function getAuthorizationCode($code) return $code; } + /** + * @param string $code + * @param mixed $client_id + * @param mixed $user_id + * @param string $redirect_uri + * @param int $expires + * @param string $scope + * @param string $id_token + * @return bool|mixed + */ public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null) { if (func_num_args() > 6) { @@ -199,6 +267,16 @@ public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, return $stmt->execute(compact('code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope')); } + /** + * @param string $code + * @param mixed $client_id + * @param mixed $user_id + * @param string $redirect_uri + * @param string $expires + * @param string $scope + * @param string $id_token + * @return bool + */ private function setAuthorizationCodeWithIdToken($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null) { // convert expires to datestring @@ -214,6 +292,10 @@ private function setAuthorizationCodeWithIdToken($code, $client_id, $user_id, $r return $stmt->execute(compact('code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope', 'id_token')); } + /** + * @param string $code + * @return bool + */ public function expireAuthorizationCode($code) { $stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE authorization_code = :code', $this->config['code_table'])); @@ -221,7 +303,11 @@ public function expireAuthorizationCode($code) return $stmt->execute(compact('code')); } - /* OAuth2\Storage\UserCredentialsInterface */ + /** + * @param string $username + * @param string $password + * @return bool + */ public function checkUserCredentials($username, $password) { if ($user = $this->getUser($username)) { @@ -231,12 +317,20 @@ public function checkUserCredentials($username, $password) return false; } + /** + * @param string $username + * @return array|bool + */ public function getUserDetails($username) { return $this->getUser($username); } - /* UserClaimsInterface */ + /** + * @param mixed $user_id + * @param string $claims + * @return array|bool + */ public function getUserClaims($user_id, $claims) { if (!$userDetails = $this->getUserDetails($user_id)) { @@ -262,6 +356,11 @@ public function getUserClaims($user_id, $claims) return $userClaims; } + /** + * @param string $claim + * @param array $userDetails + * @return array + */ protected function getUserClaim($claim, $userDetails) { $userClaims = array(); @@ -275,7 +374,10 @@ protected function getUserClaim($claim, $userDetails) return $userClaims; } - /* OAuth2\Storage\RefreshTokenInterface */ + /** + * @param string $refresh_token + * @return bool|mixed + */ public function getRefreshToken($refresh_token) { $stmt = $this->db->prepare(sprintf('SELECT * FROM %s WHERE refresh_token = :refresh_token', $this->config['refresh_token_table'])); @@ -289,6 +391,14 @@ public function getRefreshToken($refresh_token) return $token; } + /** + * @param string $refresh_token + * @param mixed $client_id + * @param mixed $user_id + * @param string $expires + * @param string $scope + * @return bool + */ public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null) { // convert expires to datestring @@ -299,6 +409,10 @@ public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, return $stmt->execute(compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope')); } + /** + * @param string $refresh_token + * @return bool + */ public function unsetRefreshToken($refresh_token) { $stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE refresh_token = :refresh_token', $this->config['refresh_token_table'])); @@ -308,7 +422,13 @@ public function unsetRefreshToken($refresh_token) return $stmt->rowCount() > 0; } - // plaintext passwords are bad! Override this for your application + /** + * plaintext passwords are bad! Override this for your application + * + * @param array $user + * @param string $password + * @return bool + */ protected function checkPassword($user, $password) { return $user['password'] == $this->hashPassword($password); @@ -320,6 +440,10 @@ protected function hashPassword($password) return sha1($password); } + /** + * @param string $username + * @return array|bool + */ public function getUser($username) { $stmt = $this->db->prepare($sql = sprintf('SELECT * from %s where username=:username', $this->config['user_table'])); @@ -335,6 +459,15 @@ public function getUser($username) ), $userInfo); } + /** + * plaintext passwords are bad! Override this for your application + * + * @param string $username + * @param string $password + * @param string $firstName + * @param string $lastName + * @return bool + */ public function setUser($username, $password, $firstName = null, $lastName = null) { // do not store in plaintext @@ -350,7 +483,10 @@ public function setUser($username, $password, $firstName = null, $lastName = nul return $stmt->execute(compact('username', 'password', 'firstName', 'lastName')); } - /* ScopeInterface */ + /** + * @param string $scope + * @return bool + */ public function scopeExists($scope) { $scope = explode(' ', $scope); @@ -365,6 +501,10 @@ public function scopeExists($scope) return false; } + /** + * @param mixed $client_id + * @return null|string + */ public function getDefaultScope($client_id = null) { $stmt = $this->db->prepare(sprintf('SELECT scope FROM %s WHERE is_default=:is_default', $this->config['scope_table'])); @@ -381,7 +521,11 @@ public function getDefaultScope($client_id = null) return null; } - /* JWTBearerInterface */ + /** + * @param mixed $client_id + * @param $subject + * @return string + */ public function getClientKey($client_id, $subject) { $stmt = $this->db->prepare($sql = sprintf('SELECT public_key from %s where client_id=:client_id AND subject=:subject', $this->config['jwt_table'])); @@ -391,6 +535,10 @@ public function getClientKey($client_id, $subject) return $stmt->fetchColumn(); } + /** + * @param mixed $client_id + * @return bool|null + */ public function getClientScope($client_id) { if (!$clientDetails = $this->getClientDetails($client_id)) { @@ -404,6 +552,14 @@ public function getClientScope($client_id) return null; } + /** + * @param mixed $client_id + * @param $subject + * @param $audience + * @param $expires + * @param $jti + * @return array|null + */ public function getJti($client_id, $subject, $audience, $expires, $jti) { $stmt = $this->db->prepare($sql = sprintf('SELECT * FROM %s WHERE issuer=:client_id AND subject=:subject AND audience=:audience AND expires=:expires AND jti=:jti', $this->config['jti_table'])); @@ -423,6 +579,14 @@ public function getJti($client_id, $subject, $audience, $expires, $jti) return null; } + /** + * @param mixed $client_id + * @param $subject + * @param $audience + * @param $expires + * @param $jti + * @return bool + */ public function setJti($client_id, $subject, $audience, $expires, $jti) { $stmt = $this->db->prepare(sprintf('INSERT INTO %s (issuer, subject, audience, expires, jti) VALUES (:client_id, :subject, :audience, :expires, :jti)', $this->config['jti_table'])); @@ -430,7 +594,10 @@ public function setJti($client_id, $subject, $audience, $expires, $jti) return $stmt->execute(compact('client_id', 'subject', 'audience', 'expires', 'jti')); } - /* PublicKeyInterface */ + /** + * @param mixed $client_id + * @return mixed + */ public function getPublicKey($client_id = null) { $stmt = $this->db->prepare($sql = sprintf('SELECT public_key FROM %s WHERE client_id=:client_id OR client_id IS NULL ORDER BY client_id IS NOT NULL DESC', $this->config['public_key_table'])); @@ -441,6 +608,10 @@ public function getPublicKey($client_id = null) } } + /** + * @param mixed $client_id + * @return mixed + */ public function getPrivateKey($client_id = null) { $stmt = $this->db->prepare($sql = sprintf('SELECT private_key FROM %s WHERE client_id=:client_id OR client_id IS NULL ORDER BY client_id IS NOT NULL DESC', $this->config['public_key_table'])); @@ -451,6 +622,10 @@ public function getPrivateKey($client_id = null) } } + /** + * @param mixed $client_id + * @return string + */ public function getEncryptionAlgorithm($client_id = null) { $stmt = $this->db->prepare($sql = sprintf('SELECT encryption_algorithm FROM %s WHERE client_id=:client_id OR client_id IS NULL ORDER BY client_id IS NOT NULL DESC', $this->config['public_key_table'])); @@ -467,6 +642,9 @@ public function getEncryptionAlgorithm($client_id = null) * DDL to create OAuth2 database and tables for PDO storage * * @see https://github.com/dsquier/oauth2-server-php-mysql + * + * @param string $dbName + * @return string */ public function getBuildSql($dbName = 'oauth2_server_php') { @@ -481,73 +659,73 @@ public function getBuildSql($dbName = 'oauth2_server_php') PRIMARY KEY (client_id) ); - CREATE TABLE {$this->config['access_token_table']} ( - access_token VARCHAR(40) NOT NULL, - client_id VARCHAR(80) NOT NULL, - user_id VARCHAR(80), - expires TIMESTAMP NOT NULL, - scope VARCHAR(4000), - PRIMARY KEY (access_token) - ); + CREATE TABLE {$this->config['access_token_table']} ( + access_token VARCHAR(40) NOT NULL, + client_id VARCHAR(80) NOT NULL, + user_id VARCHAR(80), + expires TIMESTAMP NOT NULL, + scope VARCHAR(4000), + PRIMARY KEY (access_token) + ); - CREATE TABLE {$this->config['code_table']} ( - authorization_code VARCHAR(40) NOT NULL, - client_id VARCHAR(80) NOT NULL, - user_id VARCHAR(80), - redirect_uri VARCHAR(2000), - expires TIMESTAMP NOT NULL, - scope VARCHAR(4000), - id_token VARCHAR(1000), - PRIMARY KEY (authorization_code) - ); + CREATE TABLE {$this->config['code_table']} ( + authorization_code VARCHAR(40) NOT NULL, + client_id VARCHAR(80) NOT NULL, + user_id VARCHAR(80), + redirect_uri VARCHAR(2000), + expires TIMESTAMP NOT NULL, + scope VARCHAR(4000), + id_token VARCHAR(1000), + PRIMARY KEY (authorization_code) + ); - CREATE TABLE {$this->config['refresh_token_table']} ( - refresh_token VARCHAR(40) NOT NULL, - client_id VARCHAR(80) NOT NULL, - user_id VARCHAR(80), - expires TIMESTAMP NOT NULL, - scope VARCHAR(4000), - PRIMARY KEY (refresh_token) - ); + CREATE TABLE {$this->config['refresh_token_table']} ( + refresh_token VARCHAR(40) NOT NULL, + client_id VARCHAR(80) NOT NULL, + user_id VARCHAR(80), + expires TIMESTAMP NOT NULL, + scope VARCHAR(4000), + PRIMARY KEY (refresh_token) + ); - CREATE TABLE {$this->config['user_table']} ( - username VARCHAR(80), - password VARCHAR(80), - first_name VARCHAR(80), - last_name VARCHAR(80), - email VARCHAR(80), - email_verified BOOLEAN, - scope VARCHAR(4000) - ); + CREATE TABLE {$this->config['user_table']} ( + username VARCHAR(80), + password VARCHAR(80), + first_name VARCHAR(80), + last_name VARCHAR(80), + email VARCHAR(80), + email_verified BOOLEAN, + scope VARCHAR(4000) + ); - CREATE TABLE {$this->config['scope_table']} ( - scope VARCHAR(80) NOT NULL, - is_default BOOLEAN, - PRIMARY KEY (scope) - ); + CREATE TABLE {$this->config['scope_table']} ( + scope VARCHAR(80) NOT NULL, + is_default BOOLEAN, + PRIMARY KEY (scope) + ); - CREATE TABLE {$this->config['jwt_table']} ( - client_id VARCHAR(80) NOT NULL, - subject VARCHAR(80), - public_key VARCHAR(2000) NOT NULL - ); + CREATE TABLE {$this->config['jwt_table']} ( + client_id VARCHAR(80) NOT NULL, + subject VARCHAR(80), + public_key VARCHAR(2000) NOT NULL + ); - CREATE TABLE {$this->config['jti_table']} ( - issuer VARCHAR(80) NOT NULL, - subject VARCHAR(80), - audience VARCHAR(80), - expires TIMESTAMP NOT NULL, - jti VARCHAR(2000) NOT NULL - ); + CREATE TABLE {$this->config['jti_table']} ( + issuer VARCHAR(80) NOT NULL, + subject VARCHAR(80), + audiance VARCHAR(80), + expires TIMESTAMP NOT NULL, + jti VARCHAR(2000) NOT NULL + ); - CREATE TABLE {$this->config['public_key_table']} ( - client_id VARCHAR(80), - public_key VARCHAR(2000), - private_key VARCHAR(2000), - encryption_algorithm VARCHAR(100) DEFAULT 'RS256' - ) -"; + CREATE TABLE {$this->config['public_key_table']} ( + client_id VARCHAR(80), + public_key VARCHAR(2000), + private_key VARCHAR(2000), + encryption_algorithm VARCHAR(100) DEFAULT 'RS256' + ) + "; return $sql; } -} +} \ No newline at end of file diff --git a/src/OAuth2/Storage/PublicKeyInterface.php b/src/OAuth2/Storage/PublicKeyInterface.php index 108418d3a..a6dc49fb5 100644 --- a/src/OAuth2/Storage/PublicKeyInterface.php +++ b/src/OAuth2/Storage/PublicKeyInterface.php @@ -10,7 +10,21 @@ */ interface PublicKeyInterface { + /** + * @param mixed $client_id + * @return mixed + */ public function getPublicKey($client_id = null); + + /** + * @param mixed $client_id + * @return mixed + */ public function getPrivateKey($client_id = null); + + /** + * @param mixed $client_id + * @return mixed + */ public function getEncryptionAlgorithm($client_id = null); -} +} \ No newline at end of file diff --git a/src/OAuth2/Storage/UserCredentialsInterface.php b/src/OAuth2/Storage/UserCredentialsInterface.php index 6e0fd7bad..f550579e4 100644 --- a/src/OAuth2/Storage/UserCredentialsInterface.php +++ b/src/OAuth2/Storage/UserCredentialsInterface.php @@ -37,15 +37,15 @@ interface UserCredentialsInterface public function checkUserCredentials($username, $password); /** - * @return - * ARRAY the associated "user_id" and optional "scope" values - * This function MUST return FALSE if the requested user does not exist or is - * invalid. "scope" is a space-separated list of restricted scopes. + * @param string $username - username to get details for + * @return array|false - the associated "user_id" and optional "scope" values + * This function MUST return FALSE if the requested user does not exist or is + * invalid. "scope" is a space-separated list of restricted scopes. * @code - * return array( - * "user_id" => USER_ID, // REQUIRED user_id to be stored with the authorization code or access token - * "scope" => SCOPE // OPTIONAL space-separated list of restricted scopes - * ); + * return array( + * "user_id" => USER_ID, // REQUIRED user_id to be stored with the authorization code or access token + * "scope" => SCOPE // OPTIONAL space-separated list of restricted scopes + * ); * @endcode */ public function getUserDetails($username); diff --git a/test/OAuth2/AutoloadTest.php b/test/OAuth2/AutoloadTest.php index 5901bdc42..2cb292389 100644 --- a/test/OAuth2/AutoloadTest.php +++ b/test/OAuth2/AutoloadTest.php @@ -2,7 +2,9 @@ namespace OAuth2; -class AutoloadTest extends \PHPUnit_Framework_TestCase +use PHPUnit\Framework\TestCase; + +class AutoloadTest extends TestCase { public function testClassesExist() { diff --git a/test/OAuth2/Controller/AuthorizeControllerTest.php b/test/OAuth2/Controller/AuthorizeControllerTest.php index 3bfc760e4..fe3553b23 100644 --- a/test/OAuth2/Controller/AuthorizeControllerTest.php +++ b/test/OAuth2/Controller/AuthorizeControllerTest.php @@ -10,8 +10,9 @@ use OAuth2\Request; use OAuth2\Response; use OAuth2\Request\TestRequest; +use PHPUnit\Framework\TestCase; -class AuthorizeControllerTest extends \PHPUnit_Framework_TestCase +class AuthorizeControllerTest extends TestCase { public function testNoClientIdResponse() { diff --git a/test/OAuth2/Controller/ResourceControllerTest.php b/test/OAuth2/Controller/ResourceControllerTest.php index b277514a5..cd54d239a 100644 --- a/test/OAuth2/Controller/ResourceControllerTest.php +++ b/test/OAuth2/Controller/ResourceControllerTest.php @@ -7,8 +7,9 @@ use OAuth2\GrantType\AuthorizationCode; use OAuth2\Request; use OAuth2\Response; +use PHPUnit\Framework\TestCase; -class ResourceControllerTest extends \PHPUnit_Framework_TestCase +class ResourceControllerTest extends TestCase { public function testNoAccessToken() { diff --git a/test/OAuth2/Controller/TokenControllerTest.php b/test/OAuth2/Controller/TokenControllerTest.php index 4a217bd55..d18eaa6d7 100644 --- a/test/OAuth2/Controller/TokenControllerTest.php +++ b/test/OAuth2/Controller/TokenControllerTest.php @@ -10,8 +10,9 @@ use OAuth2\Scope; use OAuth2\Request\TestRequest; use OAuth2\Response; +use PHPUnit\Framework\TestCase; -class TokenControllerTest extends \PHPUnit_Framework_TestCase +class TokenControllerTest extends TestCase { public function testNoGrantType() { @@ -271,6 +272,48 @@ public function testInvalidRequestMethodForRevoke() $this->assertEquals($response->getParameter('error_description'), 'The request method must be POST when revoking an access token'); } + public function testCanUseCrossOriginRequestForRevoke() + { + $server = $this->getTestServer(); + + $request = new TestRequest(); + $request->setMethod('OPTIONS'); + + $server->handleRevokeRequest($request, $response = new Response()); + $this->assertTrue($response instanceof Response); + $this->assertEquals(200, $response->getStatusCode(), var_export($response, 1)); + $this->assertEquals($response->getHttpHeader('Allow'), 'POST, OPTIONS'); + } + + public function testInvalidRequestMethodForAccessToken() + { + $server = $this->getTestServer(); + + $request = new TestRequest(); + $request->setQuery(array( + 'token_type_hint' => 'access_token' + )); + + $server->handleTokenRequest($request, $response = new Response()); + $this->assertTrue($response instanceof Response); + $this->assertEquals(405, $response->getStatusCode(), var_export($response, 1)); + $this->assertEquals($response->getParameter('error'), 'invalid_request'); + $this->assertEquals($response->getParameter('error_description'), 'The request method must be POST when requesting an access token'); + } + + public function testCanUseCrossOriginRequestForAccessToken() + { + $server = $this->getTestServer(); + + $request = new TestRequest(); + $request->setMethod('OPTIONS'); + + $server->handleTokenRequest($request, $response = new Response()); + $this->assertTrue($response instanceof Response); + $this->assertEquals(200, $response->getStatusCode(), var_export($response, 1)); + $this->assertEquals($response->getHttpHeader('Allow'), 'POST, OPTIONS'); + } + public function testCreateController() { $storage = Bootstrap::getInstance()->getMemoryStorage(); diff --git a/test/OAuth2/Encryption/FirebaseJwtTest.php b/test/OAuth2/Encryption/FirebaseJwtTest.php index d34136767..c7e92c053 100644 --- a/test/OAuth2/Encryption/FirebaseJwtTest.php +++ b/test/OAuth2/Encryption/FirebaseJwtTest.php @@ -3,8 +3,9 @@ namespace OAuth2\Encryption; use OAuth2\Storage\Bootstrap; +use PHPUnit\Framework\TestCase; -class FirebaseJwtTest extends \PHPUnit_Framework_TestCase +class FirebaseJwtTest extends TestCase { private $privateKey; diff --git a/test/OAuth2/Encryption/JwtTest.php b/test/OAuth2/Encryption/JwtTest.php index 214eebac8..d73b4c923 100644 --- a/test/OAuth2/Encryption/JwtTest.php +++ b/test/OAuth2/Encryption/JwtTest.php @@ -3,8 +3,9 @@ namespace OAuth2\Encryption; use OAuth2\Storage\Bootstrap; +use PHPUnit\Framework\TestCase; -class JwtTest extends \PHPUnit_Framework_TestCase +class JwtTest extends TestCase { private $privateKey; diff --git a/test/OAuth2/GrantType/AuthorizationCodeTest.php b/test/OAuth2/GrantType/AuthorizationCodeTest.php index 356b8e53c..b2314ffc6 100644 --- a/test/OAuth2/GrantType/AuthorizationCodeTest.php +++ b/test/OAuth2/GrantType/AuthorizationCodeTest.php @@ -6,8 +6,9 @@ use OAuth2\Server; use OAuth2\Request\TestRequest; use OAuth2\Response; +use PHPUnit\Framework\TestCase; -class AuthorizationCodeTest extends \PHPUnit_Framework_TestCase +class AuthorizationCodeTest extends TestCase { public function testNoCode() { diff --git a/test/OAuth2/GrantType/ClientCredentialsTest.php b/test/OAuth2/GrantType/ClientCredentialsTest.php index f0d46ccb3..2a7d0eb3d 100644 --- a/test/OAuth2/GrantType/ClientCredentialsTest.php +++ b/test/OAuth2/GrantType/ClientCredentialsTest.php @@ -7,8 +7,9 @@ use OAuth2\Request\TestRequest; use OAuth2\Request; use OAuth2\Response; +use PHPUnit\Framework\TestCase; -class ClientCredentialsTest extends \PHPUnit_Framework_TestCase +class ClientCredentialsTest extends TestCase { public function testInvalidCredentials() { diff --git a/test/OAuth2/GrantType/ImplicitTest.php b/test/OAuth2/GrantType/ImplicitTest.php index a47aae3e8..14bf980f1 100644 --- a/test/OAuth2/GrantType/ImplicitTest.php +++ b/test/OAuth2/GrantType/ImplicitTest.php @@ -6,8 +6,9 @@ use OAuth2\Server; use OAuth2\Request; use OAuth2\Response; +use PHPUnit\Framework\TestCase; -class ImplicitTest extends \PHPUnit_Framework_TestCase +class ImplicitTest extends TestCase { public function testImplicitNotAllowedResponse() { diff --git a/test/OAuth2/GrantType/JwtBearerTest.php b/test/OAuth2/GrantType/JwtBearerTest.php index 0a6c4b827..e60023b3c 100644 --- a/test/OAuth2/GrantType/JwtBearerTest.php +++ b/test/OAuth2/GrantType/JwtBearerTest.php @@ -7,8 +7,9 @@ use OAuth2\Request\TestRequest; use OAuth2\Response; use OAuth2\Encryption\Jwt; +use PHPUnit\Framework\TestCase; -class JwtBearerTest extends \PHPUnit_Framework_TestCase +class JwtBearerTest extends TestCase { private $privateKey; diff --git a/test/OAuth2/GrantType/RefreshTokenTest.php b/test/OAuth2/GrantType/RefreshTokenTest.php index a458aad8a..c964c6bbd 100644 --- a/test/OAuth2/GrantType/RefreshTokenTest.php +++ b/test/OAuth2/GrantType/RefreshTokenTest.php @@ -6,8 +6,9 @@ use OAuth2\Server; use OAuth2\Request\TestRequest; use OAuth2\Response; +use PHPUnit\Framework\TestCase; -class RefreshTokenTest extends \PHPUnit_Framework_TestCase +class RefreshTokenTest extends TestCase { private $storage; diff --git a/test/OAuth2/GrantType/UserCredentialsTest.php b/test/OAuth2/GrantType/UserCredentialsTest.php index 18943d055..8b725e13a 100644 --- a/test/OAuth2/GrantType/UserCredentialsTest.php +++ b/test/OAuth2/GrantType/UserCredentialsTest.php @@ -6,8 +6,9 @@ use OAuth2\Server; use OAuth2\Request\TestRequest; use OAuth2\Response; +use PHPUnit\Framework\TestCase; -class UserCredentialsTest extends \PHPUnit_Framework_TestCase +class UserCredentialsTest extends TestCase { public function testNoUsername() { diff --git a/test/OAuth2/OpenID/Controller/AuthorizeControllerTest.php b/test/OAuth2/OpenID/Controller/AuthorizeControllerTest.php index 46de936d8..fdc16daba 100644 --- a/test/OAuth2/OpenID/Controller/AuthorizeControllerTest.php +++ b/test/OAuth2/OpenID/Controller/AuthorizeControllerTest.php @@ -6,8 +6,9 @@ use OAuth2\Server; use OAuth2\Request; use OAuth2\Response; +use PHPUnit\Framework\TestCase; -class AuthorizeControllerTest extends \PHPUnit_Framework_TestCase +class AuthorizeControllerTest extends TestCase { public function testValidateAuthorizeRequest() { diff --git a/test/OAuth2/OpenID/Controller/UserInfoControllerTest.php b/test/OAuth2/OpenID/Controller/UserInfoControllerTest.php index b1b687077..62e84df57 100644 --- a/test/OAuth2/OpenID/Controller/UserInfoControllerTest.php +++ b/test/OAuth2/OpenID/Controller/UserInfoControllerTest.php @@ -6,8 +6,9 @@ use OAuth2\Server; use OAuth2\Request; use OAuth2\Response; +use PHPUnit\Framework\TestCase; -class UserInfoControllerTest extends \PHPUnit_Framework_TestCase +class UserInfoControllerTest extends TestCase { public function testCreateController() { diff --git a/test/OAuth2/OpenID/GrantType/AuthorizationCodeTest.php b/test/OAuth2/OpenID/GrantType/AuthorizationCodeTest.php index 776002d1e..c89a1ae97 100644 --- a/test/OAuth2/OpenID/GrantType/AuthorizationCodeTest.php +++ b/test/OAuth2/OpenID/GrantType/AuthorizationCodeTest.php @@ -6,8 +6,9 @@ use OAuth2\Server; use OAuth2\Request\TestRequest; use OAuth2\Response; +use PHPUnit\Framework\TestCase; -class AuthorizationCodeTest extends \PHPUnit_Framework_TestCase +class AuthorizationCodeTest extends TestCase { public function testValidCode() { diff --git a/test/OAuth2/OpenID/ResponseType/CodeIdTokenTest.php b/test/OAuth2/OpenID/ResponseType/CodeIdTokenTest.php index b0311434a..7b892c946 100644 --- a/test/OAuth2/OpenID/ResponseType/CodeIdTokenTest.php +++ b/test/OAuth2/OpenID/ResponseType/CodeIdTokenTest.php @@ -7,8 +7,9 @@ use OAuth2\Response; use OAuth2\Storage\Bootstrap; use OAuth2\GrantType\ClientCredentials; +use PHPUnit\Framework\TestCase; -class CodeIdTokenTest extends \PHPUnit_Framework_TestCase +class CodeIdTokenTest extends TestCase { public function testHandleAuthorizeRequest() { diff --git a/test/OAuth2/OpenID/ResponseType/IdTokenTest.php b/test/OAuth2/OpenID/ResponseType/IdTokenTest.php index e772f6be4..a0df3a936 100644 --- a/test/OAuth2/OpenID/ResponseType/IdTokenTest.php +++ b/test/OAuth2/OpenID/ResponseType/IdTokenTest.php @@ -8,8 +8,9 @@ use OAuth2\Storage\Bootstrap; use OAuth2\GrantType\ClientCredentials; use OAuth2\Encryption\Jwt; +use PHPUnit\Framework\TestCase; -class IdTokenTest extends \PHPUnit_Framework_TestCase +class IdTokenTest extends TestCase { public function testValidateAuthorizeRequest() { diff --git a/test/OAuth2/OpenID/ResponseType/IdTokenTokenTest.php b/test/OAuth2/OpenID/ResponseType/IdTokenTokenTest.php index bc564d37b..0573a9866 100644 --- a/test/OAuth2/OpenID/ResponseType/IdTokenTokenTest.php +++ b/test/OAuth2/OpenID/ResponseType/IdTokenTokenTest.php @@ -8,8 +8,9 @@ use OAuth2\Storage\Bootstrap; use OAuth2\GrantType\ClientCredentials; use OAuth2\ResponseType\AccessToken; +use PHPUnit\Framework\TestCase; -class IdTokenTokenTest extends \PHPUnit_Framework_TestCase +class IdTokenTokenTest extends TestCase { public function testHandleAuthorizeRequest() diff --git a/test/OAuth2/RequestTest.php b/test/OAuth2/RequestTest.php index 10db3215c..cbf8f096b 100644 --- a/test/OAuth2/RequestTest.php +++ b/test/OAuth2/RequestTest.php @@ -5,8 +5,9 @@ use OAuth2\Request\TestRequest; use OAuth2\Storage\Bootstrap; use OAuth2\GrantType\AuthorizationCode; +use PHPUnit\Framework\TestCase; -class RequestTest extends \PHPUnit_Framework_TestCase +class RequestTest extends TestCase { public function testRequestOverride() { diff --git a/test/OAuth2/ResponseTest.php b/test/OAuth2/ResponseTest.php index b8149005d..2d2c57ee6 100644 --- a/test/OAuth2/ResponseTest.php +++ b/test/OAuth2/ResponseTest.php @@ -1,8 +1,8 @@ query = $query; } + public function setMethod($method) + { + $this->server['REQUEST_METHOD'] = $method; + } + public function setPost(array $params) { - $this->server['REQUEST_METHOD'] = 'POST'; + $this->setMethod('POST'); $this->request = $params; } diff --git a/test/lib/OAuth2/Storage/BaseTest.php b/test/lib/OAuth2/Storage/BaseTest.php index f0b1274a2..e841d3ad2 100755 --- a/test/lib/OAuth2/Storage/BaseTest.php +++ b/test/lib/OAuth2/Storage/BaseTest.php @@ -2,7 +2,9 @@ namespace OAuth2\Storage; -abstract class BaseTest extends \PHPUnit_Framework_TestCase +use PHPUnit\Framework\TestCase; + +abstract class BaseTest extends TestCase { public function provideStorage() {